Edit tour

Windows Analysis Report
Payment-Order #24560274 for 8,380 USD.exe

Overview

General Information

Sample name:	Payment-Order #24560274 for 8,380 USD.exe
Analysis ID:	1585875
MD5:	f19ce6f6790292bbd9b8533d33b1a46f
SHA1:	ce057013f389e0f2506f4cd495799d684b0be2a3
SHA256:	67afda69254336cc140c2fe7474eb6b93c27ec134b07f91a604bee1c15c9135c
Tags:	exeuser-adrian__luca
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

Payment-Order #24560274 for 8,380 USD.exe (PID: 5484 cmdline: "C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe" MD5: F19CE6F6790292BBD9B8533D33B1A46F)

conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 6224 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 3200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 1508 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["212.23.222.198"], "Port": 7000, "Aes key": "<1234567829>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3636532690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.3636532690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6186:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6223:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6338:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5ff6:$cnc4: POST / HTTP/1.1
00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x80bca6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x80bd43:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x80be58:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x80bb16:$cnc4: POST / HTTP/1.1
00000000.00000002.1500296317.000002AAAF800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1500296317.000002AAAF800000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1872ee:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x19b096:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x18738b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x19b133:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1874a0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x19b248:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x18715e:$cnc4: POST / HTTP/1.1 0x19af06:$cnc4: POST / HTTP/1.1
Process Memory Space: Payment-Order #24560274 for 8,380 USD.exe PID: 5484	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: MSBuild.exe PID: 6224	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.MSBuild.exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x516e:$str01: $VB$Local_Port 0x515f:$str02: $VB$Local_Host 0x5368:$str03: get_Jpeg 0x4eb2:$str04: get_ServicePack 0x5dc2:$str05: Select * from AntivirusProduct 0x5ee4:$str06: PCRestart 0x5ef8:$str07: shutdown.exe /f /r /t 0 0x5f98:$str08: StopReport 0x5f6e:$str09: StopDDos 0x5fde:$str10: sendPlugin 0x6020:$str11: OfflineKeylogger Not Enabled 0x61a6:$str12: -ExecutionPolicy Bypass -File " 0x62db:$str13: Content-length: 5235
3.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6386:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6423:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6538:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x61f6:$cnc4: POST / HTTP/1.1
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x336e:$str01: $VB$Local_Port 0x335f:$str02: $VB$Local_Host 0x3568:$str03: get_Jpeg 0x30b2:$str04: get_ServicePack 0x3fc2:$str05: Select * from AntivirusProduct 0x40e4:$str06: PCRestart 0x40f8:$str07: shutdown.exe /f /r /t 0 0x4198:$str08: StopReport 0x416e:$str09: StopDDos 0x41de:$str10: sendPlugin 0x4220:$str11: OfflineKeylogger Not Enabled 0x43a6:$str12: -ExecutionPolicy Bypass -File " 0x44db:$str13: Content-length: 5235
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4586:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4623:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4738:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x43f6:$cnc4: POST / HTTP/1.1
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x336e:$str01: $VB$Local_Port 0x335f:$str02: $VB$Local_Host 0x3568:$str03: get_Jpeg 0x30b2:$str04: get_ServicePack 0x3fc2:$str05: Select * from AntivirusProduct 0x40e4:$str06: PCRestart 0x40f8:$str07: shutdown.exe /f /r /t 0 0x4198:$str08: StopReport 0x416e:$str09: StopDDos 0x41de:$str10: sendPlugin 0x4220:$str11: OfflineKeylogger Not Enabled 0x43a6:$str12: -ExecutionPolicy Bypass -File " 0x44db:$str13: Content-length: 5235
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4586:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4623:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4738:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x43f6:$cnc4: POST / HTTP/1.1
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x336e:$str01: $VB$Local_Port 0x335f:$str02: $VB$Local_Host 0x3568:$str03: get_Jpeg 0x30b2:$str04: get_ServicePack 0x3fc2:$str05: Select * from AntivirusProduct 0x40e4:$str06: PCRestart 0x40f8:$str07: shutdown.exe /f /r /t 0 0x4198:$str08: StopReport 0x416e:$str09: StopDDos 0x41de:$str10: sendPlugin 0x4220:$str11: OfflineKeylogger Not Enabled 0x43a6:$str12: -ExecutionPolicy Bypass -File " 0x44db:$str13: Content-length: 5235
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4586:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4623:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4738:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x43f6:$cnc4: POST / HTTP/1.1
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x516e:$str01: $VB$Local_Port 0x515f:$str02: $VB$Local_Host 0x5368:$str03: get_Jpeg 0x4eb2:$str04: get_ServicePack 0x5dc2:$str05: Select * from AntivirusProduct 0x5ee4:$str06: PCRestart 0x5ef8:$str07: shutdown.exe /f /r /t 0 0x5f98:$str08: StopReport 0x5f6e:$str09: StopDDos 0x5fde:$str10: sendPlugin 0x6020:$str11: OfflineKeylogger Not Enabled 0x61a6:$str12: -ExecutionPolicy Bypass -File " 0x62db:$str13: Content-length: 5235
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6386:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6423:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6538:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x61f6:$cnc4: POST / HTTP/1.1
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x516e:$str01: $VB$Local_Port 0x18f16:$str01: $VB$Local_Port 0x515f:$str02: $VB$Local_Host 0x18f07:$str02: $VB$Local_Host 0x5368:$str03: get_Jpeg 0x19110:$str03: get_Jpeg 0x4eb2:$str04: get_ServicePack 0x18c5a:$str04: get_ServicePack 0x5dc2:$str05: Select * from AntivirusProduct 0x19b6a:$str05: Select * from AntivirusProduct 0x5ee4:$str06: PCRestart 0x19c8c:$str06: PCRestart 0x5ef8:$str07: shutdown.exe /f /r /t 0 0x19ca0:$str07: shutdown.exe /f /r /t 0 0x5f98:$str08: StopReport 0x19d40:$str08: StopReport 0x5f6e:$str09: StopDDos 0x19d16:$str09: StopDDos 0x5fde:$str10: sendPlugin 0x19d86:$str10: sendPlugin 0x6020:$str11: OfflineKeylogger Not Enabled
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6386:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1a12e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6423:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1a1cb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6538:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1a2e0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x61f6:$cnc4: POST / HTTP/1.1 0x19f9e:$cnc4: POST / HTTP/1.1
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x516e:$str01: $VB$Local_Port 0x515f:$str02: $VB$Local_Host 0x5368:$str03: get_Jpeg 0x4eb2:$str04: get_ServicePack 0x5dc2:$str05: Select * from AntivirusProduct 0x5ee4:$str06: PCRestart 0x5ef8:$str07: shutdown.exe /f /r /t 0 0x5f98:$str08: StopReport 0x5f6e:$str09: StopDDos 0x5fde:$str10: sendPlugin 0x6020:$str11: OfflineKeylogger Not Enabled 0x61a6:$str12: -ExecutionPolicy Bypass -File " 0x62db:$str13: Content-length: 5235
0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6386:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6423:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6538:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x61f6:$cnc4: POST / HTTP/1.1
Click to see the 16 entries

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:32:09.836709+0100	2859459	1	Malware Command and Control Activity Detected	192.168.2.9	52880	212.23.222.198	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.3640980221.0000000003211000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["212.23.222.198"], "Port": 7000, "Aes key": "<1234567829>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for submitted file

Source: Payment-Order #24560274 for 8,380 USD.exe	Virustotal: Detection: 52%			Perma Link
Source: Payment-Order #24560274 for 8,380 USD.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 212.23.222.198
Source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 7000
Source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp	String decryptor: <1234567829>
Source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp	String decryptor: USB.exe

Source: Payment-Order #24560274 for 8,380 USD.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: @To.pdb source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb J0 source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdbSystem.Xml.dllSystem.Core.ni.dll source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbd source: MSBuild.exe, 00000003.00000002.3639572299.0000000001338000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: ?ToC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbO source: MSBuild.exe, 00000003.00000002.3639572299.00000000013BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: %%.pdb source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000003.00000002.3642568255.0000000006405000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp, WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.3642568255.0000000006405000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.3639572299.00000000013BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbpdbild.pdb< source: MSBuild.exe, 00000003.00000002.3639572299.00000000013BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: HPHo0C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 4x nop then push rdi	0_2_00007FF7A6624450
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 4x nop then push rdi	0_2_00007FF7A6620200
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 4x nop then mov rax, rcx	0_2_00007FF7A65B9FC0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 4x nop then push rbx	0_2_00007FF7A65FCC30
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7A65CF9C0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7A6627A90
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 4x nop then push rbx	0_2_00007FF7A65CFAA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2859460 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49705 -> 212.23.222.198:7000
Source: Network traffic	Suricata IDS: 2859459 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:52880 -> 212.23.222.198:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 212.23.222.198

Source: global traffic

TCP traffic: 192.168.2.9:49705 -> 212.23.222.198:7000

Source: global traffic

TCP traffic: 192.168.2.9:52736 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: TMRDE TMRDE

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.222.198

Source: global traffic

DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: MSBuild.exe, 00000003.00000002.3640980221.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.3636532690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1500296317.000002AAAF800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment-Order #24560274 for 8,380 USD.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6568830	0_2_00007FF7A6568830
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6559340	0_2_00007FF7A6559340
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6566190	0_2_00007FF7A6566190
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A656D16A	0_2_00007FF7A656D16A
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A656DFD0	0_2_00007FF7A656DFD0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6570C50	0_2_00007FF7A6570C50
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6552750	0_2_00007FF7A6552750
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A657C800	0_2_00007FF7A657C800
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65667F0	0_2_00007FF7A65667F0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A657A7B0	0_2_00007FF7A657A7B0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A656A850	0_2_00007FF7A656A850
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65A1910	0_2_00007FF7A65A1910
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65788D9	0_2_00007FF7A65788D9
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A655E8A0	0_2_00007FF7A655E8A0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A654A8B0	0_2_00007FF7A654A8B0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A657E540	0_2_00007FF7A657E540
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6561520	0_2_00007FF7A6561520
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6566610	0_2_00007FF7A6566610
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65735C0	0_2_00007FF7A65735C0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6563640	0_2_00007FF7A6563640
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A656B6B0	0_2_00007FF7A656B6B0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6574390	0_2_00007FF7A6574390
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6560360	0_2_00007FF7A6560360
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6572370	0_2_00007FF7A6572370
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A657D320	0_2_00007FF7A657D320
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65483C4	0_2_00007FF7A65483C4
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65F3480	0_2_00007FF7A65F3480
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6550470	0_2_00007FF7A6550470
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6571470	0_2_00007FF7A6571470
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A656A420	0_2_00007FF7A656A420
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6549430	0_2_00007FF7A6549430
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A657B4F0	0_2_00007FF7A657B4F0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65644D0	0_2_00007FF7A65644D0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A657B180	0_2_00007FF7A657B180
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6565200	0_2_00007FF7A6565200
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6581200	0_2_00007FF7A6581200
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6568200	0_2_00007FF7A6568200
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65791B0	0_2_00007FF7A65791B0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A657F280	0_2_00007FF7A657F280
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A661E240	0_2_00007FF7A661E240
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6548220	0_2_00007FF7A6548220
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65752E0	0_2_00007FF7A65752E0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65792CE	0_2_00007FF7A65792CE
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6573F60	0_2_00007FF7A6573F60
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A655EFE0	0_2_00007FF7A655EFE0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A66100E0	0_2_00007FF7A66100E0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65580D0	0_2_00007FF7A65580D0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6562D30	0_2_00007FF7A6562D30
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A656FDD0	0_2_00007FF7A656FDD0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A657BEA0	0_2_00007FF7A657BEA0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A656FB40	0_2_00007FF7A656FB40
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6607BA0	0_2_00007FF7A6607BA0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A657BBA0	0_2_00007FF7A657BBA0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6577C79	0_2_00007FF7A6577C79
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6575C20	0_2_00007FF7A6575C20
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6564CD9	0_2_00007FF7A6564CD9
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A657F960	0_2_00007FF7A657F960
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6551A00	0_2_00007FF7A6551A00
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A65799C3	0_2_00007FF7A65799C3
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6584A40	0_2_00007FF7A6584A40
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6546A50	0_2_00007FF7A6546A50
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6556A50	0_2_00007FF7A6556A50
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6569A50	0_2_00007FF7A6569A50
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: 0_2_00007FF7A6602AC0	0_2_00007FF7A6602AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_03155B50	3_2_03155B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_03155280	3_2_03155280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_03150B62	3_2_03150B62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_03154F38	3_2_03154F38

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Code function: String function: 00007FF7A654C1A0 appears 63 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 1508

Source: Payment-Order #24560274 for 8,380 USD.exe	Binary or memory string: OriginalFilename vs Payment-Order #24560274 for 8,380 USD.exe
Source: Payment-Order #24560274 for 8,380 USD.exe, 00000000.00000000.1495354896.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePaddedReferenceMetadataEnumResult.dlld" vs Payment-Order #24560274 for 8,380 USD.exe
Source: Payment-Order #24560274 for 8,380 USD.exe, 00000000.00000002.1501110340.000002AAB1C00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaddedReferenceMetadataEnumResult.dlld" vs Payment-Order #24560274 for 8,380 USD.exe
Source: Payment-Order #24560274 for 8,380 USD.exe, 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaddedReferenceMetadataEnumResult.dlld" vs Payment-Order #24560274 for 8,380 USD.exe
Source: Payment-Order #24560274 for 8,380 USD.exe, 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClientBZX.exe4 vs Payment-Order #24560274 for 8,380 USD.exe
Source: Payment-Order #24560274 for 8,380 USD.exe, 00000000.00000002.1500296317.000002AAAF800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaddedReferenceMetadataEnumResult.dlld" vs Payment-Order #24560274 for 8,380 USD.exe
Source: Payment-Order #24560274 for 8,380 USD.exe, 00000000.00000002.1500296317.000002AAAF800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClientBZX.exe4 vs Payment-Order #24560274 for 8,380 USD.exe
Source: Payment-Order #24560274 for 8,380 USD.exe	Binary or memory string: OriginalFilenamePaddedReferenceMetadataEnumResult.dlld" vs Payment-Order #24560274 for 8,380 USD.exe

Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.3636532690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1500296317.000002AAAF800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: MSBuild.exe, 00000003.00000002.3642568255.0000000006405000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 00000003.00000002.3639572299.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbd

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/5@1/1

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Code function: 0_2_00007FF7A6551830 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,

0_2_00007FF7A6551830

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Ihzd02cPcnJ09l8B

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\39f9499f-7d5f-41cc-ac82-1e4080ab9ccf

Jump to behavior

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment-Order #24560274 for 8,380 USD.exe	Virustotal: Detection: 52%
Source: Payment-Order #24560274 for 8,380 USD.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

File read: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe "C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe"
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 1508
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Payment-Order #24560274 for 8,380 USD.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Payment-Order #24560274 for 8,380 USD.exe

Static file information: File size 1461760 > 1048576

Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payment-Order #24560274 for 8,380 USD.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Payment-Order #24560274 for 8,380 USD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: @To.pdb source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb J0 source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdbSystem.Xml.dllSystem.Core.ni.dll source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbd source: MSBuild.exe, 00000003.00000002.3639572299.0000000001338000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: ?ToC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbO source: MSBuild.exe, 00000003.00000002.3639572299.00000000013BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: %%.pdb source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000003.00000002.3642568255.0000000006405000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp, WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.3642568255.0000000006405000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.3639572299.00000000013BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbpdbild.pdb< source: MSBuild.exe, 00000003.00000002.3639572299.00000000013BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2C7D.tmp.dmp.10.dr
Source:	Binary string: HPHo0C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.3642118203.000000000579B000.00000004.00000010.00020000.00000000.sdmp

Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, Messages.cs	.Net Code: Memory

Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: section name: .managed
Source: Payment-Order #24560274 for 8,380 USD.exe	Static PE information: section name: hydrated

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Memory allocated: 2AAAB670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 8791			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1052			Jump to behavior

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-29279

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1792	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1792	Thread sleep time: -38738162554790034s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2036	Thread sleep count: 8791 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2036	Thread sleep count: 1052 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Code function: 0_2_00007FF7A6551460 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF7A6551460

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 00000003.00000002.3639572299.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Code function: 0_2_00007FF7A65AB64C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF7A65AB64C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000	Jump to behavior
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000	Jump to behavior
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: CB1008	Jump to behavior

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Jump to behavior

Source: MSBuild.exe, 00000003.00000002.3640980221.000000000342F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3640980221.000000000363B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3640980221.00000000032F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: MSBuild.exe, 00000003.00000002.3640980221.000000000342F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3640980221.000000000363B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3640980221.00000000032F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
Source: MSBuild.exe, 00000003.00000002.3640980221.000000000342F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3640980221.000000000363B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3640980221.00000000032F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000003.00000002.3640980221.000000000342F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3640980221.000000000363B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3640980221.00000000032F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: MSBuild.exe, 00000003.00000002.3640980221.000000000342F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3640980221.000000000363B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3640980221.00000000032F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: GetLocaleInfoEx,		0_2_00007FF7A65D8FB0
Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe	Code function: GetLocaleInfoEx,		0_2_00007FF7A65D9080

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe

Code function: 0_2_00007FF7A65AB27C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7A65AB27C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: MSBuild.exe, 00000003.00000002.3639572299.00000000013BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nder\MsMpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: MSBuild.exe, 00000003.00000002.3639572299.00000000013BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r\MsMpeng.exe
Source: MSBuild.exe, 00000003.00000002.3639572299.0000000001338000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3639572299.00000000013BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3636532690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1500296317.000002AAAF800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment-Order #24560274 for 8,380 USD.exe PID: 5484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6224, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aab3601920.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf980f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment-Order #24560274 for 8,380 USD.exe.2aaaf994d10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3636532690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1500296317.000002AAAF800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment-Order #24560274 for 8,380 USD.exe PID: 5484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6224, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	312 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	312 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment-Order #24560274 for 8,380 USD.exe	53%	Virustotal		Browse
Payment-Order #24560274 for 8,380 USD.exe	66%	ReversingLabs	Win64.Trojan.XWorm

Source	Detection	Scanner	Label	Link
212.23.222.198	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
241.42.69.40.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
212.23.222.198	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.10.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000003.00000002.3640980221.0000000003211000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.23.222.198	unknown	unknown		12329	TMRDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585875
Start date and time:	2025-01-08 12:29:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment-Order #24560274 for 8,380 USD.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/5@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 52% Number of executed functions: 81 Number of non-executed functions: 88
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 199.232.214.172, 192.229.221.95, 13.85.23.206, 20.242.39.171, 40.69.42.241, 172.202.163.200, 4.175.87.197, 40.126.31.73, 40.126.31.69, 20.190.159.2, 40.126.31.67, 40.126.31.71, 20.190.159.4, 20.190.159.64, 20.190.159.75, 52.168.117.173, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 6224 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:30:33	API Interceptor	5440732x Sleep call for process: MSBuild.exe modified
06:34:03	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	13.107.246.45
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Subscription_Renewal_Invoice_2025_HKVXTC.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	13.107.246.45
	7ccf88c0bbe3b29bf19d877c4596a8d4.zip	Get hash	malicious	Unknown	Browse	13.107.246.45
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	13.107.246.45
	https://sUNg.ethamoskag.ru/0cUrcw3/#Msburkholder@heartland-derm.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	Sburkholder.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
	audio.mp3_JasonhTranscript.html	Get hash	malicious	Unknown	Browse	13.107.246.45
fp2e7a.wpc.phicdn.net	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.229.221.95
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69.exe	Get hash	malicious	AsyncRAT, GhostRat	Browse	192.229.221.95
	xmr.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip	Get hash	malicious	Unknown	Browse	192.229.221.95
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	192.229.221.95
	startuppp.bat	Get hash	malicious	Unknown	Browse	192.229.221.95
	amiri.EXE	Get hash	malicious	Unknown	Browse	192.229.221.95
bg.microsoft.map.fastly.net	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	199.232.214.172
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	e-SPT Masa PPh.exe	Get hash	malicious	BlackMoon	Browse	199.232.210.172
	e-SPT Masa PPh.exe	Get hash	malicious	BlackMoon	Browse	199.232.210.172
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	199.232.214.172
	I6la3suRdt.exe	Get hash	malicious	AsyncRAT	Browse	199.232.214.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.210.172
	Sburkholder.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	U02LaPwnkd.exe	Get hash	malicious	ValleyRAT	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TMRDE	Hilix.mips.elf	Get hash	malicious	Mirai	Browse	185.245.176.190
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	62.221.244.56
	Summaryform_FXnbLLyKOJ.wsf	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	212.23.222.200
	Summaryform_TgQFBSAqdC.zip	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	212.23.222.200
	2C8CDA2CCC942B4EDA8E1EE37A8F68C557FEE80E14244.exe	Get hash	malicious	Quasar	Browse	212.23.222.42
	Hilix.mips.elf	Get hash	malicious	Mirai	Browse	185.245.176.189
	BiU282bjyR.exe	Get hash	malicious	Remcos	Browse	212.23.211.238
	https://ipfs.io/ipfs/QmdTwDBzfv7vcTnw34YZhB4VroSotz2NY5Hc5FzzQX8qxQ#rramis@isciii.es	Get hash	malicious	HTMLPhisher	Browse	212.23.144.169
	wx7x7YkSI8.elf	Get hash	malicious	Unknown	Browse	185.249.170.212
	2DLd2J82an.elf	Get hash	malicious	Mirai	Browse	212.23.154.151

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msbuild.exe_8c87657e7f4436c9bc615563fd86f2ef7eb379e_833cf7ea_edbdef1e-03ce-41a2-802a-63ffe250d54f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1705584023715618
Encrypted:	false
SSDEEP:	192:w43cOxPp0BU/KaaTHy8wdEmzuiFcOZ24IO8G:XfxyBU/Ka2SrdzuiFcOY4IO8G
MD5:	A1594814D31B7A853370B1085698E843
SHA1:	7879C62C83CFDFC26DF60DE6CFA8B8E54B3EF137
SHA-256:	7044460E6F452CAB095136A7B202371C77CF3DE4C82B7F57BA715C30FD610717
SHA-512:	6954E7CA347050D6C3101113540507B8F8B9E007532D2DC9CDF6EC67AC23DA92688C2C68D922F8CB31996EF9C4395D13D105E97570540B5B9B35DB86B56A348E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.0.9.6.2.4.0.6.1.5.2.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.0.9.6.2.4.6.3.9.6.6.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.b.d.e.f.1.e.-.0.3.c.e.-.4.1.a.2.-.8.0.2.a.-.6.3.f.f.e.2.5.0.d.5.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.3.f.0.a.9.f.-.b.a.b.3.-.4.9.b.c.-.a.6.e.2.-.2.d.b.b.2.0.d.d.a.6.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.s.b.u.i.l.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.5.0.-.0.0.0.1.-.0.0.1.4.-.b.3.a.5.-.d.7.b.8.c.0.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.6.2.5.6.a.0.1.5.9.6.8.8.f.0.5.6.0.b.0.1.5.d.a.4.d.9.6.7.f.4.1.c.b.f.8.c.9.b.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C7D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jan 8 11:33:44 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	279399
Entropy (8bit):	3.784624608667258
Encrypted:	false
SSDEEP:	3072:bZV8W2fPhAfZc4uEqXyHJLTgNSkX4iWNkBA:bZ0fcZc4uy1Tg4U4i/
MD5:	B15413B030358E948FB838C4A3459F20
SHA1:	8402CD4B362F90389723D2E03210EDC350284EFE
SHA-256:	1558EC19FE2FEF797286077B26F7ADAECAEBD07AECC6521D1F4070D2C05C8AC0
SHA-512:	6797DDF7CB31E475334800EC540207EC747FDAE92ECECBD845CAD8074B75C3E21285C449171CF2D9C878F55DE6F07CFB76CD8C14777A92DFB5DD4706784AEC4B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........b~g............t...........H...........$....%......$"...W..........`.......8...........T............<..W............%...........'..............................................................................eJ......x(......GenuineIntel............T.......P....a~g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DF5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6386
Entropy (8bit):	3.7181036902243743
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbj56876YZhQE/11Y5aM4UR89bA50sf/iOGm:R6l7wVeJj56876YZh4prR89bW0sf/Sm
MD5:	90B724FAF2CECBF9CDE02CC40A36D9D7
SHA1:	CFA5CDB21C0F73352F2F474F1D3AB9CC87CE3A41
SHA-256:	BB43316B5102F143E18EB346A913C67AAADE7487A94BAEA5CED69E786E429AC2
SHA-512:	62F355EC0C7345D8DC4FCFAC51D4FD3C29ECDEC30D547846247ED461E1F607B35EB97B6BC688A8612494448B881C4F4B390BD442403B779F51B5DA605A93BA4F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E16.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4733
Entropy (8bit):	4.45829516650132
Encrypted:	false
SSDEEP:	48:cvIwWl8zslJg77aI9V6WpW8VYmYm8M4JXWFC6+q8vNYE/mLNd:uIjf/I7X77VSJ96Kx/mLNd
MD5:	00F96B83617F0986D31EEA6350C7EA6F
SHA1:	FD862A8A70D7DA02B34C901549B819726CFDB910
SHA-256:	90CD988C8F754DB0A53AF788BF6C8A5EA4F957120C762670FFFE30B4786C182A
SHA-512:	4896F033656719EF464CE43BA7D4FF56F462F2E0B22CE73AA529EE082C623DD7FC8DE632B50180241C3C88EE48EF1C808DBE7B6CD5745E3108880C9D6570641C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666876" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.39469109565379
Encrypted:	false
SSDEEP:	6144:hl4fiJoH0ncNXiUjt10qfG/gaocYGBoaUMMhA2NX4WABlBuNACOBSqa:X4vFfMYQUMM6VFYSCU
MD5:	339C0F1C1CA73EB614372B742F020424
SHA1:	B813D0C40DD8DB25E3628E1FBB0908155DA11562
SHA-256:	66EED41F1B8373DADA4CDA06EE2B8C725140D25500995FBFC64BE3C021EDC9E1
SHA-512:	3887082EE56215B38C4142F077C8E24790E5C28C6CDA7EB4DAEEDF3DD3CA4CDAFB52D7BFEEED9A31A38FF08AFCD1A799C408002E3869F9311036323FB593B630
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..i,.a................................................................................................................................................................................................................................................................................................................................................~.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.882537072603037
TrID:	Win64 Executable GUI (202006/5) 77.37% InstallShield setup (43055/19) 16.49% Win64 Executable (generic) (12005/4) 4.60% Generic Win/DOS Executable (2004/3) 0.77% DOS Executable Generic (2002/1) 0.77%
File name:	Payment-Order #24560274 for 8,380 USD.exe
File size:	1'461'760 bytes
MD5:	f19ce6f6790292bbd9b8533d33b1a46f
SHA1:	ce057013f389e0f2506f4cd495799d684b0be2a3
SHA256:	67afda69254336cc140c2fe7474eb6b93c27ec134b07f91a604bee1c15c9135c
SHA512:	f940a1551c54babc86e47722729f2bc55c7e28c61b39c69e1a7566efde04905a21ee0d8f24dcdf5f4b76599570d612987ff73c896967456d1ab21baf37bec721
SSDEEP:	24576:PAonTAWtaG9kwX2t684Bnndby1UuFLan9k5TRM7phylfihgdElUIVjDyh:PAodtaG9kS2U84B+FLan9k5TRM9zlPVj
TLSH:	A565BE19E3A811FCD527C674CB55A233E6B174560B21A4CB0B99C7452FB3EE26B7B302
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E...E...D...E...D...E...E...E...DD..EI..D...EI..D...E...............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14006ac2c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E5ADB8 [Sat Sep 14 15:37:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	22a65106d3d84ea74d966fa0424a5a0c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F1118E8B83Ch
dec eax
add esp, 28h
jmp 00007F1118E8B067h
int3
int3
jmp 00007F1118E8BBB8h
int3
int3
int3
dec eax
sub esp, 28h
call 00007F1118E8BBB4h
jmp 00007F1118E8B1F4h
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
jmp 00007F1118E8B1DCh
int3
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F1118E8B202h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F1118E8B205h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F1118E8B1FDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F1118E8B206h
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00000049h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x17f3c0	0x5c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17f41c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19c000	0x812c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x18f000	0xcdec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a5000	0x5b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x165ae0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x165d00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1659a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11a000	0x6a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6f188	0x6f200	16824105689e93571b28f6d652acf3f1	False	0.45466728768278963	data	6.6338226603175485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.managed	0x71000	0x77a28	0x77c00	459fe8e4d0429964edfb07e39e66b232	False	0.46850331093423797	data	6.473781869755907	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
hydrated	0xe9000	0x30498	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x11a000	0x66c6a	0x66e00	19d69919d9ea837ef6351baa0211b72d	False	0.4881032616950182	data	6.702703489018048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x181000	0xd5a8	0x1800	9d5075bd44b367f703d8e922b003398a	False	0.2294921875	data	3.190641782829915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x18f000	0xcdec	0xce00	638451eb673a6cdf25f666b19f1b8bb4	False	0.49419751213592233	data	6.064103613023274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x19c000	0x812c	0x8200	3691b0aede7b180237704710c2d65dbb	False	0.97109375	data	7.953193437636764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1a5000	0x5b8	0x600	adcf9b9e4d3994d1018ad464f4f1db74	False	0.5826822916666666	data	5.215191968056739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
BINARY	0x19c130	0x7a84	data	1.000510139012881
RT_VERSION	0x1a3bb4	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data	0.3579295154185022
RT_MANIFEST	0x1a3f40	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegEnumValueW
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptOpenAlgorithmProvider, BCryptGenRandom
KERNEL32.dll	TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, GetConsoleWindow, FreeConsole, AllocConsole, SetLastError, GetLastError, LocalFree, CloseHandle, ExitProcess, GetTickCount64, FormatMessageW, K32EnumProcessModulesEx, IsWow64Process, GetExitCodeProcess, OpenProcess, K32EnumProcesses, K32GetModuleInformation, K32GetModuleBaseNameW, K32GetModuleFileNameExW, GetProcessId, DuplicateHandle, GetCurrentProcess, CloseThreadpoolIo, GetCurrentProcessId, MultiByteToWideChar, GetStdHandle, RaiseFailFastException, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, FindStringOrdinal, GetCurrentThread, Sleep, DeleteCriticalSection, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, InitializeCriticalSection, InitializeConditionVariable, WaitForMultipleObjectsEx, QueryPerformanceFrequency, GetFullPathNameW, GetLongPathNameW, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CreateFileW, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, GetThreadPriority, SetThreadPriority, WriteFile, GetCurrentProcessorNumberEx, SetEvent, CreateEventExW, GetEnvironmentVariableW, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, ResumeThread, GetThreadContext, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, VirtualQuery, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlLookupFunctionEntry, InitializeSListHead
ole32.dll	CoGetApartmentType, CoTaskMemAlloc, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoWaitForMultipleHandles
api-ms-win-crt-heap-l1-1-0.dll	malloc, free, _callnewh, calloc, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-string-l1-1-0.dll	strcmp, _stricmp, strcpy_s, strncpy_s, wcsncmp
api-ms-win-crt-convert-l1-1-0.dll	strtoull
api-ms-win-crt-runtime-l1-1-0.dll	__p___wargv, _cexit, exit, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, __p___argc, _exit, abort, _initterm_e, _c_exit, _register_thread_local_exe_atexit_callback, _seh_filter_exe, _set_app_type, _initterm, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsprintf_s, __stdio_common_vfprintf, __p__commode, _set_fmode, __stdio_common_vsscanf, __acrt_iob_func
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T12:30:44.571447+0100	2859460	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.9	49705	212.23.222.198	7000	TCP
2025-01-08T12:32:09.836709+0100	2859459	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.9	52880	212.23.222.198	7000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:30:24.959216118 CET	49676	443	192.168.2.9	23.206.229.209
Jan 8, 2025 12:30:24.959697962 CET	49675	443	192.168.2.9	23.206.229.209
Jan 8, 2025 12:30:25.224812031 CET	49674	443	192.168.2.9	23.206.229.209
Jan 8, 2025 12:30:26.568576097 CET	49677	443	192.168.2.9	20.189.173.11
Jan 8, 2025 12:30:33.879668951 CET	49705	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:30:33.884488106 CET	7000	49705	212.23.222.198	192.168.2.9
Jan 8, 2025 12:30:33.884726048 CET	49705	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:30:34.001555920 CET	49705	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:30:34.007337093 CET	7000	49705	212.23.222.198	192.168.2.9
Jan 8, 2025 12:30:34.568581104 CET	49676	443	192.168.2.9	23.206.229.209
Jan 8, 2025 12:30:34.568586111 CET	49675	443	192.168.2.9	23.206.229.209
Jan 8, 2025 12:30:34.834148884 CET	49674	443	192.168.2.9	23.206.229.209
Jan 8, 2025 12:30:36.470118046 CET	443	49704	23.206.229.209	192.168.2.9
Jan 8, 2025 12:30:36.470308065 CET	49704	443	192.168.2.9	23.206.229.209
Jan 8, 2025 12:30:44.571446896 CET	49705	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:30:44.576209068 CET	7000	49705	212.23.222.198	192.168.2.9
Jan 8, 2025 12:30:55.162787914 CET	49705	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:30:55.167644024 CET	7000	49705	212.23.222.198	192.168.2.9
Jan 8, 2025 12:30:55.251075983 CET	7000	49705	212.23.222.198	192.168.2.9
Jan 8, 2025 12:30:55.251151085 CET	49705	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:30:55.928132057 CET	49705	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:30:55.928993940 CET	49712	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:30:55.932950974 CET	7000	49705	212.23.222.198	192.168.2.9
Jan 8, 2025 12:30:55.933800936 CET	7000	49712	212.23.222.198	192.168.2.9
Jan 8, 2025 12:30:55.933898926 CET	49712	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:30:55.957762957 CET	49712	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:30:55.962589979 CET	7000	49712	212.23.222.198	192.168.2.9
Jan 8, 2025 12:30:59.983284950 CET	52736	53	192.168.2.9	162.159.36.2
Jan 8, 2025 12:30:59.988101959 CET	53	52736	162.159.36.2	192.168.2.9
Jan 8, 2025 12:30:59.988188028 CET	52736	53	192.168.2.9	162.159.36.2
Jan 8, 2025 12:30:59.988259077 CET	52736	53	192.168.2.9	162.159.36.2
Jan 8, 2025 12:30:59.993037939 CET	53	52736	162.159.36.2	192.168.2.9
Jan 8, 2025 12:31:00.450556993 CET	53	52736	162.159.36.2	192.168.2.9
Jan 8, 2025 12:31:00.490413904 CET	52736	53	192.168.2.9	162.159.36.2
Jan 8, 2025 12:31:00.738907099 CET	52736	53	192.168.2.9	162.159.36.2
Jan 8, 2025 12:31:00.743887901 CET	53	52736	162.159.36.2	192.168.2.9
Jan 8, 2025 12:31:00.743949890 CET	52736	53	192.168.2.9	162.159.36.2
Jan 8, 2025 12:31:06.193911076 CET	49712	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:06.198697090 CET	7000	49712	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:16.444004059 CET	49712	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:16.448872089 CET	7000	49712	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:17.318567991 CET	7000	49712	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:17.318706989 CET	49712	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:18.802973032 CET	49712	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:18.803575993 CET	52741	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:18.807804108 CET	7000	49712	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:18.808418989 CET	7000	52741	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:18.808507919 CET	52741	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:18.832483053 CET	52741	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:18.837272882 CET	7000	52741	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:31.240783930 CET	52741	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:31.245831013 CET	7000	52741	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:40.175231934 CET	7000	52741	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:40.175306082 CET	52741	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:42.878282070 CET	52741	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:42.880913019 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:42.883155107 CET	7000	52741	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:42.885740042 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:42.885817051 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:42.917424917 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:42.922298908 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:43.209418058 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:43.214243889 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:43.357990026 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:43.362837076 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:44.543999910 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:44.548844099 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:48.498982906 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:48.503760099 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:49.180511951 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:49.185298920 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:49.405648947 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:49.410550117 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:51.359107971 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:51.363893032 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:51.539068937 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:51.543872118 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:52.969865084 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:52.974695921 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:54.212892056 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:54.217814922 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:54.258889914 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:54.263696909 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:55.667860985 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:55.672738075 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:57.208657980 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:57.213484049 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:58.310005903 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:58.314917088 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:58.428193092 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:58.433062077 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:31:59.667752028 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:31:59.672586918 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:00.760358095 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:00.765157938 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:00.841804981 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:00.846858978 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:02.071743965 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:02.076657057 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:02.160181999 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:02.164995909 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:03.282905102 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:03.287693024 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:03.515319109 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:03.520159960 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:03.713530064 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:03.718374968 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:04.253998041 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:04.256294012 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:04.741403103 CET	52743	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:04.742286921 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:04.746159077 CET	7000	52743	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:04.747122049 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:04.747195005 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:04.888700962 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:04.893589020 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:07.753523111 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:07.758337975 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:08.405492067 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:08.410250902 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:09.796969891 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:09.801911116 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:09.836709023 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:09.841517925 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:10.032489061 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:10.037271023 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:10.062860966 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:10.067693949 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:10.129153967 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:10.133965015 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:11.582779884 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:11.587583065 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:11.751552105 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:11.756412029 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:11.860374928 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:11.865168095 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:12.442210913 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:12.446954966 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:12.810456991 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:12.815274000 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:13.440227985 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:13.557701111 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:14.007711887 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:14.012846947 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:14.012898922 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:14.018121958 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:14.421849966 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:14.429228067 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:14.606235981 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:14.611109018 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:16.004561901 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:16.009371042 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:16.070910931 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:16.075795889 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:16.594610929 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:16.599499941 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:17.849533081 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:17.854418993 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:18.401660919 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:18.409389019 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:18.651658058 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:18.656497002 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:19.235100985 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:19.240000010 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:19.354571104 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:19.359566927 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:19.411915064 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:19.416781902 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:19.449594975 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:19.454520941 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:19.547051907 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:19.551933050 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:19.728564024 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:19.733465910 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:19.920231104 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:19.925136089 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:20.117825985 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:20.122685909 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:20.230923891 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:20.235809088 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:20.362448931 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:20.367301941 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:20.859937906 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:20.864767075 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:21.552659988 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:21.557432890 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:21.639878988 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:21.644607067 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:21.707216978 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:21.712229013 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:22.060162067 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:22.064938068 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:24.223192930 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:24.227969885 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:24.715359926 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:24.720171928 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:25.426917076 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:25.431688070 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:25.869055033 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:25.873876095 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:26.071788073 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:26.076584101 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:26.096945047 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:26.101763010 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:26.143121004 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:26.143197060 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:31.084211111 CET	52880	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:31.085441113 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:31.089199066 CET	7000	52880	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:31.090318918 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:31.090394020 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:31.129831076 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:31.134685040 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:33.985735893 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:33.990634918 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:34.042970896 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:34.047909021 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:34.293309927 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:34.298201084 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:34.531900883 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:34.536861897 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:34.553698063 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:34.558615923 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:34.604895115 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:34.609755039 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:37.098406076 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:37.103318930 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:37.418936968 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:37.425367117 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:38.810987949 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:38.815881014 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:38.850056887 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:38.854990959 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:38.895117998 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:38.901652098 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:39.367816925 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:39.372708082 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:39.393095970 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:39.398014069 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:39.424001932 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:39.429502964 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:40.796758890 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:40.801641941 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:40.820280075 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:40.825074911 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:40.891112089 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:40.896008968 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:41.263784885 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:41.268631935 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:41.284539938 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:41.289458990 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:41.437890053 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:41.442862034 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:41.452894926 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:41.457808018 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:42.811904907 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:42.816833973 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:44.783029079 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:44.919584036 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:45.050352097 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:45.055140972 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:45.248585939 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:45.253508091 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:45.320318937 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:45.325306892 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:45.337245941 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:45.342123032 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:45.344367981 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:45.349283934 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:47.592202902 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:47.597059965 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:49.870326996 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:49.875191927 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:50.835916996 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:50.840775013 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:50.985805988 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:50.990618944 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:51.003515005 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:51.008327007 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:51.385952950 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:51.391201019 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:51.428287029 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:51.433202028 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:51.527560949 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:51.532427073 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:51.569217920 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:51.574141979 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:51.661050081 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:51.745073080 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:51.745160103 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:51.750053883 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:52.473458052 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:52.474240065 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:52.849857092 CET	53009	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:52.852407932 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:52.854744911 CET	7000	53009	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:52.857330084 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:52.857388973 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:52.889440060 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:52.894325972 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:53.036459923 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:53.041361094 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:53.073162079 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:53.078119993 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:53.318250895 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:53.323045969 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:53.381333113 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:53.386231899 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:53.600028038 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:53.604938984 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:54.956156969 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:54.961245060 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:54.979676962 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:54.984510899 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:56.224930048 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:56.230424881 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:56.409625053 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:56.417555094 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:58.734594107 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:58.739562988 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:58.757685900 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:58.762605906 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:32:58.898269892 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:32:58.903242111 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:00.022721052 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:00.027537107 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:02.423515081 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:02.428507090 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:04.386661053 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:04.391638041 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:04.653678894 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:04.658549070 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:04.832221031 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:04.837368965 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:05.093055964 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:05.097946882 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:05.140332937 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:05.145153046 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:08.369867086 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:08.374675035 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:09.801034927 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:09.805845022 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:09.877912998 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:09.882827044 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:10.251703024 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:10.256515980 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:10.418582916 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:10.423391104 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:11.350688934 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:11.355463982 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:11.649324894 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:11.654169083 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:13.158427954 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:13.163197994 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:14.221990108 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:14.222055912 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:14.896702051 CET	53010	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:14.899189949 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:14.901474953 CET	7000	53010	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:14.904001951 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:14.904068947 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:14.935858011 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:14.940665007 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:15.172894955 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:15.177712917 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:15.406878948 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:15.411794901 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:15.798011065 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:15.802870035 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:16.280585051 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:16.285419941 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:16.318700075 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:16.323523998 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:16.947268963 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:16.952140093 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:16.953229904 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:16.959573030 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:17.036242008 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:17.042947054 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:17.159869909 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:17.166131973 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:17.288821936 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:17.295919895 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:19.018933058 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:19.023760080 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:19.075922966 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:19.080739021 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:20.889806032 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:20.894793987 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:20.961569071 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:20.966413975 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:21.121625900 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:21.126491070 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:21.277781010 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:21.282612085 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:21.283644915 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:21.288414955 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:21.300178051 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:21.304997921 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:21.333503008 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:21.338376999 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:21.351181984 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:21.355945110 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:21.357913971 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:21.362711906 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:21.722867966 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:21.727796078 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:23.154604912 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:23.159373045 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:23.218204021 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:23.223009109 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:23.298943996 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:23.303782940 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:23.351573944 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:23.356467009 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:23.366347075 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:23.371191978 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:23.735888958 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:23.740758896 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:25.091726065 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:25.096662998 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:25.299597979 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:25.304441929 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:25.746618032 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:25.751497030 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:26.883829117 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:26.888637066 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:26.996654987 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:27.001868963 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:27.188920021 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:27.193718910 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:27.282322884 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:27.287195921 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:27.764529943 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:27.769341946 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:28.227647066 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:28.232474089 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:28.555671930 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:28.560530901 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:29.241297007 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:29.246201992 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:29.247114897 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:29.251962900 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:29.264545918 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:29.269366980 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:29.280740976 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:29.285598040 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:30.178138018 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:30.183018923 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:30.944922924 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:30.949753046 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:30.965280056 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:30.970119953 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:31.058121920 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:31.063033104 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:31.222270012 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:31.227144957 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:31.282844067 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:31.287724972 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:31.338730097 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:31.343653917 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:31.346652031 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:31.351572037 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:32.355923891 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:32.360754967 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:32.932374001 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:32.937285900 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:33.098788977 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:33.103652954 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:33.415397882 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:33.420288086 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:34.998748064 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:35.003592968 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:35.346869946 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:35.401034117 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:36.258517981 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:36.258644104 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:36.304301977 CET	53011	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:36.304301977 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:36.309175968 CET	7000	53011	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:36.309191942 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:36.309381962 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:36.413444996 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:36.418344975 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:36.595645905 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:36.601170063 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:37.685658932 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:37.690453053 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:37.804780006 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:37.809559107 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:38.917931080 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:38.922820091 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:39.072731018 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:39.077645063 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:39.804286003 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:39.809231043 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:39.825320959 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:39.832947969 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:39.854420900 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:39.859255075 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:40.509623051 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:40.514507055 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:41.712008953 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:41.716877937 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:41.719518900 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:41.724284887 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:41.851339102 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:41.856154919 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:41.885891914 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:41.890774965 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:42.918999910 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:42.923835993 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:42.923892021 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:42.928664923 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:42.958309889 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:42.963123083 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:43.052707911 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:43.057495117 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:43.168068886 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:43.172980070 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:43.173463106 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:43.178272963 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:43.242898941 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:43.247652054 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:43.326445103 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:43.331165075 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:43.687506914 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:43.692382097 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:43.726304054 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:33:43.731372118 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:57.681674004 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:33:57.681781054 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:34:04.128559113 CET	53012	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:34:04.133330107 CET	53024	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:34:04.133410931 CET	7000	53012	212.23.222.198	192.168.2.9
Jan 8, 2025 12:34:04.138225079 CET	7000	53024	212.23.222.198	192.168.2.9
Jan 8, 2025 12:34:04.138299942 CET	53024	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:34:04.259932995 CET	53024	7000	192.168.2.9	212.23.222.198
Jan 8, 2025 12:34:04.264843941 CET	7000	53024	212.23.222.198	192.168.2.9
Jan 8, 2025 12:34:04.965662003 CET	53024	7000	192.168.2.9	212.23.222.198

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:30:59.982758999 CET	53	50900	162.159.36.2	192.168.2.9
Jan 8, 2025 12:31:00.749682903 CET	56819	53	192.168.2.9	1.1.1.1
Jan 8, 2025 12:31:00.756900072 CET	53	56819	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 12:31:00.749682903 CET	192.168.2.9	1.1.1.1	0x6fe7	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 12:30:45.656524897 CET	1.1.1.1	192.168.2.9	0x79f1	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:45.656524897 CET	1.1.1.1	192.168.2.9	0x79f1	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:46.147207975 CET	1.1.1.1	192.168.2.9	0xca30	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 12:30:46.147207975 CET	1.1.1.1	192.168.2.9	0xca30	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:58.983460903 CET	1.1.1.1	192.168.2.9	0x776c	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 12:30:58.983460903 CET	1.1.1.1	192.168.2.9	0x776c	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:31:00.756900072 CET	1.1.1.1	192.168.2.9	0x6fe7	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 8, 2025 12:31:42.084014893 CET	1.1.1.1	192.168.2.9	0x68fb	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 12:31:42.084014893 CET	1.1.1.1	192.168.2.9	0x68fb	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:30:29
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Payment-Order #24560274 for 8,380 USD.exe"
Imagebase:	0x7ff7a6540000
File size:	1'461'760 bytes
MD5 hash:	F19CE6F6790292BBD9B8533D33B1A46F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1501110340.000002AAB2DFC000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1500296317.000002AAAF800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1500296317.000002AAAF800000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:30:29
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:30:30
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0xbb0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3636532690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3636532690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:33:43
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 1508
Imagebase:	0xf50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.4%
Total number of Nodes:	998
Total number of Limit Nodes:	47

Executed Functions

Function 00007FF7A6551460 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A655146F
GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A65514AD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A65514D9
GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A65514EA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A65514F9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A6551590
GetProcessAffinityMask.KERNEL32 ref: 00007FF7A65515A3

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
String ID:
API String ID: 580471860-0
Opcode ID: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
Instruction ID: 120c59eee221866beeeff92864cb516d2a26cb805b78186ff02e97e637812900
Opcode Fuzzy Hash: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
Instruction Fuzzy Hash: A7515171E1AB4686EB60AF15EC4417AABA2EB44F84FC95035E94E47778DF3CE444CB20

Function 00007FF7A656D16A Relevance: 9.5, APIs: 4, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF7A656D1B8

Strings

END, xrefs: 00007FF7A656D73A

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakDebug
String ID: END
API String ID: 456121617-2522575163
Opcode ID: 38e0c489ae895d9936cc8f933a868ccb106945ed1c986c164ac1257dd7aff2c4
Instruction ID: 91c2a31a51a401aee0c3573a9f4deda84a510afa4c67a30560b5489643a658e4
Opcode Fuzzy Hash: 38e0c489ae895d9936cc8f933a868ccb106945ed1c986c164ac1257dd7aff2c4
Instruction Fuzzy Hash: DD829B35E0BB4685EB50AF29EC50276B3A2EF45F44F9A6636D90D426B0DE3CE441CF21

Function 00007FF7A6568830 Relevance: 3.5, APIs: 2, Instructions: 952COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7A65689EC
LeaveCriticalSection.KERNEL32 ref: 00007FF7A6568A03

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 6f93bc1d4941456f45dda91854c7f695a82bcce70b9b063c41ad38af2987899c
Instruction ID: 7bf3343ba88aa6ceaf67cbf8b7622e76ce75dbd338db7ab79f6d28df63735f14
Opcode Fuzzy Hash: 6f93bc1d4941456f45dda91854c7f695a82bcce70b9b063c41ad38af2987899c
Instruction Fuzzy Hash: 47B25776A0AF4685EB04AB14EC4027AB3A5FB49F84F9A6635CA4C03774DF3CE461C721

Function 00007FF7A6559340 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TraceGC is not turned on, xrefs: 00007FF7A6559346
Creation of WaitForGCEvent failed, xrefs: 00007FF7A65596C1

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
String ID: Creation of WaitForGCEvent failed$TraceGC is not turned on
API String ID: 133006248-518909315
Opcode ID: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
Instruction ID: 099869341d14acdfe67b80a110e0675fe144fc8730d7b56de42669ff9a3547a2
Opcode Fuzzy Hash: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
Instruction Fuzzy Hash: CAB15F21E0FB8281EB11BB24EC5527BE292AF45F84FC65135E54E067BADF2CF4518B20

Function 00007FF7A65D8FB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FF7A65D9026

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
Instruction ID: 2385ea471c804ca70c79e50ee642b8ee42c5d4fc9044d81cb2cb8445249955f1
Opcode Fuzzy Hash: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
Instruction Fuzzy Hash: 8C219F33A06A91DAD724EF61EC505EA77A4FB44B98F910135FE4D83AA9DF38D481C350

Function 00007FF7A6566190 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

HB, xrefs: 00007FF7A65664ED

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID: HB
API String ID: 0-654769311
Opcode ID: 8baaf20ad30f8a11e83a1753a6f0dac9e1f205e362e9e02b02714d8a0f111955
Instruction ID: d86a47d8b3231abb9604c32b78ca07fb662fadadf2b89579bbb5c61fba10e50d
Opcode Fuzzy Hash: 8baaf20ad30f8a11e83a1753a6f0dac9e1f205e362e9e02b02714d8a0f111955
Instruction Fuzzy Hash: 50D1BD76A0AB4286EB50AF05EC4436AB7A5FF04F94F9A5235DA4D03BA0DF3CE451C721

Function 00007FF7A656DFD0 Relevance: .7, Instructions: 685COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097b62bcefa2e15c075ed7cd1fc2a7246b24135ed2dc7981fe42efd19a6c3ad6
Instruction ID: d9d1f8ead17fafcad318e4d45643565f8d5cd12d8bb12991b3e970b06fd51cf1
Opcode Fuzzy Hash: 097b62bcefa2e15c075ed7cd1fc2a7246b24135ed2dc7981fe42efd19a6c3ad6
Instruction Fuzzy Hash: 6662D475A1FA4685EB65AB26EC44337F392BF44F84F9A9135E90D53270DF3CA840CA21

Function 00007FF7A6570C50 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a4ce6d3edcbc3c7c6dd526977bf27065133be5ff1af8be5729591fa77bad5d
Instruction ID: 2fe4fbc54be47174fe63f6840f9472f7e82d41fcba68d6b5fe85f4916abd1bf7
Opcode Fuzzy Hash: 43a4ce6d3edcbc3c7c6dd526977bf27065133be5ff1af8be5729591fa77bad5d
Instruction Fuzzy Hash: 90F15C21D1BF8285F711FB24ED51277E292AFA5B40FC6A335E44D112B2EF2CB591CA20

Function 00007FF7A656C9B6 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.NET BGC, xrefs: 00007FF7A656CCC6
m, xrefs: 00007FF7A656CA3E
qX, xrefs: 00007FF7A656CAFA
condemned generation num: %d, xrefs: 00007FF7A656CB11
BEGIN, xrefs: 00007FF7A656CC04

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID: .NET BGC$BEGIN$condemned generation num: %d$m$qX
API String ID: 0-2393834873
Opcode ID: b4573e5521eb2daec4fdc1dac7b857241a61d624bfb449cc36c2373dcde47909
Instruction ID: 9d39a660b458abf3cb8a7796db7d216b375af5405b53b7ba18796edd704ca883
Opcode Fuzzy Hash: b4573e5521eb2daec4fdc1dac7b857241a61d624bfb449cc36c2373dcde47909
Instruction Fuzzy Hash: BA225B65D0AA8285F711AF29EC402B6F3A2FF55F44F8A6235DA4C52671DF3CB481CB21

Function 00007FF7A6551010 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7A655105B
IsProcessInJob.KERNEL32 ref: 00007FF7A655106B
QueryInformationJobObject.KERNEL32 ref: 00007FF7A655109B
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF7A6551104
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7A6551143
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7A655118C

Strings

@, xrefs: 00007FF7A6551138
@, xrefs: 00007FF7A65510EC
@, xrefs: 00007FF7A6551181

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
String ID: @$@$@
API String ID: 2645093340-1177533131
Opcode ID: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
Instruction ID: 77df304877a4287c21e196e8b6dd5fe5b9f7753cafb1be53ce281d02405a6329
Opcode Fuzzy Hash: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
Instruction Fuzzy Hash: 9B418431B09AC185EB71DF12E9443AAB7A0FB48F90F854235DA9E47BA8CF3CD4458B10

Function 00007FF7A654B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A654474F,?,?,?,?,?,?,00007FF7A6541EA0), ref: 00007FF7A654B82B

Part of subcall function 00007FF7A6551460: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A655146F
Part of subcall function 00007FF7A6551460: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A65514AD
Part of subcall function 00007FF7A6551460: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A65514D9
Part of subcall function 00007FF7A6551460: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A65514EA
Part of subcall function 00007FF7A6551460: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A654B84A), ref: 00007FF7A65514F9

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A654474F,?,?,?,?,?,?,00007FF7A6541EA0), ref: 00007FF7A654B89D
GetProcessAffinityMask.KERNEL32 ref: 00007FF7A654B8B0
QueryInformationJobObject.KERNEL32 ref: 00007FF7A654B8FE

Strings

PROCESSOR_COUNT, xrefs: 00007FF7A654B866

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
String ID: PROCESSOR_COUNT
API String ID: 1701933505-4048346908
Opcode ID: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
Instruction ID: 1af0affd52b8248e8cdd1d825ed49296660d909672b1be95e2e18b593d6a0e43
Opcode Fuzzy Hash: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
Instruction Fuzzy Hash: 1E319371A0AA4382EB54BB51DC883BFE7A2EF44B84FD61071D64E436B5DE2DE509C720

Function 00007FF7A6544740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7A654B820: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A654474F,?,?,?,?,?,?,00007FF7A6541EA0), ref: 00007FF7A654B82B
Part of subcall function 00007FF7A654B820: QueryInformationJobObject.KERNEL32 ref: 00007FF7A654B8FE

Part of subcall function 00007FF7A654B6C0: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF7A6544778,?,?,?,?,?,?,00007FF7A6541EA0), ref: 00007FF7A654B6D1

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF7A6541EA0), ref: 00007FF7A65448BE

Strings

StressLogLevel, xrefs: 00007FF7A6544830
TotalStressLogSize, xrefs: 00007FF7A65447F5
The required instruction sets are not supported by the current CPU., xrefs: 00007FF7A65448AA

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: AllocExceptionFailFastHandleInformationModuleObjectQueryRaise
String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
API String ID: 3403879507-2841289747
Opcode ID: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
Instruction ID: 66eb770c760e1c4eb9c5ebebc8660d175fe0334e632f07166af0226b8a4a7caa
Opcode Fuzzy Hash: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
Instruction Fuzzy Hash: 3F415D32E0A64285E601BB61EC062BBA392EF51F44FE650B1E94E176F6CE2CE405C760

Function 00007FF7A65454E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF7A6545595
RaiseFailFastException.KERNEL32(?,?,?,00007FF7A65FE640), ref: 00007FF7A65455C1
RaiseFailFastException.KERNEL32(?,?,?,00007FF7A65FE640), ref: 00007FF7A65455FA

Strings

Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF7A65455E6

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
API String ID: 3706814929-926682358
Opcode ID: ac0d77211ca4eaf3dba703a6dcfce26e9bb0a2d5ca19c56c45e61c24b7b6bea8
Instruction ID: 24be6a503540523dd4488b481e2957fe63db61c216683eeb9381caeefbe95a8f
Opcode Fuzzy Hash: ac0d77211ca4eaf3dba703a6dcfce26e9bb0a2d5ca19c56c45e61c24b7b6bea8
Instruction Fuzzy Hash: 6E414F3291AA4282EB91AB1AEC443BBB3A2EB54F84F955035DA4D423B0DF3DE455C760

Function 00007FF7A654BA80 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF7A654BAA1
SetThreadPriority.KERNELBASE ref: 00007FF7A654BABD
ResumeThread.KERNELBASE ref: 00007FF7A654BAC6
CloseHandle.KERNELBASE ref: 00007FF7A654BACF

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Thread$CloseCreateHandlePriorityResume
String ID:
API String ID: 3633986771-0
Opcode ID: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
Instruction ID: e5d8b8d9340fd522597d8e3b676f94a44640137fa76f0efbb5bb87b7565c1d0d
Opcode Fuzzy Hash: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
Instruction Fuzzy Hash: 2BE09BA5E1670242FB14AB22BC1A336A752FF99F95F8D5034CD5E47374EF3C91858A10

Function 00007FF7A6550E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7A6550E67
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7A6550F2C

Strings

@, xrefs: 00007FF7A6550F24

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CurrentGlobalMemoryProcessStatus
String ID: @
API String ID: 3261791682-2766056989
Opcode ID: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
Instruction ID: 59ebc3378630a93672c3ed7f92a0ebe2de0ce3a444823f659aec1e4786e1b5bf
Opcode Fuzzy Hash: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
Instruction Fuzzy Hash: BC410A21B0AB4641E956DB36D91533AD2D2AF55FC0F59C231FD1E22768FF3CE4818A10

Function 00007FF7A6582320 Relevance: 5.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF7A656F9D9,?,?,?,?,?,00007FF7A657E9FF,?,?,?,00007FF7A65588C3), ref: 00007FF7A6582360
LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF7A656F9D9,?,?,?,?,?,00007FF7A657E9FF,?,?,?,00007FF7A65588C3), ref: 00007FF7A65823D6
EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF7A656F9D9,?,?,?,?,?,00007FF7A657E9FF,?,?,?,00007FF7A65588C3), ref: 00007FF7A658242B
LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF7A656F9D9,?,?,?,?,?,00007FF7A657E9FF,?,?,?,00007FF7A65588C3), ref: 00007FF7A6582451

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2f26acfbe39efda905e31c116d58f05a84f1c8e613b3a673d8beab4140165067
Instruction ID: 84c6d14c6aa1262e1ad00db342309d26d77ef372ac8b36914774e791b996e8f0
Opcode Fuzzy Hash: 2f26acfbe39efda905e31c116d58f05a84f1c8e613b3a673d8beab4140165067
Instruction Fuzzy Hash: 21314F21D0EA1281EA20BF05EC50377BA51AF64F41FD65036E98D46AB1DE7CE98197B0

Function 00007FF7A65516E0 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF7A65551C8,?,?,0000000A,00007FF7A6554220,?,?,00000000,00007FF7A654DBB1), ref: 00007FF7A6551707
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF7A65551C8,?,?,0000000A,00007FF7A6554220,?,?,00000000,00007FF7A654DBB1), ref: 00007FF7A6551727
VirtualAllocExNuma.KERNEL32 ref: 00007FF7A6551748

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: AllocVirtual$CurrentNumaProcess
String ID:
API String ID: 647533253-0
Opcode ID: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
Instruction ID: a934821a35e4c27d51d93b4d1550bfffb56467237c574ddf22b27528b5b4c77d
Opcode Fuzzy Hash: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
Instruction Fuzzy Hash: 53F0AF71B086D182EB209B06F80522AAB61EB49FD4F894138EF8C17B6CCF3DD5818B10

Function 00007FF7A655759B Relevance: 3.1, APIs: 2, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00007FF7A65575FE
GetTickCount64.KERNEL32 ref: 00007FF7A6557683

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: 31575397fae93a463ead22a751a09a553ed39c8a533930d3ab52363c48fe06c9
Instruction ID: d0a612946ae1563742ab621a6229a5b0d4416ca38e280138af276af050232d2e
Opcode Fuzzy Hash: 31575397fae93a463ead22a751a09a553ed39c8a533930d3ab52363c48fe06c9
Instruction Fuzzy Hash: AA416421E0BB4285EB65BB15DE4827BE291EF00F84F975432E94D036B9CE3DF4418A30

Function 00007FF7A65AB610 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A65AAC51,?,?,?,?,00007FF7A654FCD1,?,?,?,00007FF7A6550254,00000000,00000020,?), ref: 00007FF7A65AB62A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A65AB640

Part of subcall function 00007FF7A65AB924: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7A65AB92D

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 205171174-0
Opcode ID: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
Instruction ID: df8a85ef731fbe75ce09989eb93aef0998a837cd64cfb4eabb670a99b4ef009d
Opcode Fuzzy Hash: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
Instruction Fuzzy Hash: 8DE0EC80E0B10705FD5931629E6E0B781804F78F70EDE1B30DA3E063E2ED1DE45681B0

Function 00007FF7A654BA40 Relevance: 3.0, APIs: 2, Instructions: 18
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF7A654BA59
CloseHandle.KERNELBASE ref: 00007FF7A654BA6C

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: afbd848b2ecd7790fe80cbff50474ccea25c37df90b3e86a6a037c059f69191f
Instruction ID: 419b1d51639fe6e8acf9bb945131049bd892dca3943dee9beb423968ce150a57
Opcode Fuzzy Hash: afbd848b2ecd7790fe80cbff50474ccea25c37df90b3e86a6a037c059f69191f
Instruction Fuzzy Hash: DCD012A5E0A74182DA14EB616C051266BD2BF9CF44FD54038D94DC3334FE3C92158910

Function 00007FF7A6567A30 Relevance: 2.6, APIs: 2, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A6582480: EnterCriticalSection.KERNEL32(?,?,?,00007FF7A6567A69), ref: 00007FF7A65824C4
Part of subcall function 00007FF7A6582480: LeaveCriticalSection.KERNEL32(?,?,?,00007FF7A6567A69), ref: 00007FF7A65824EE

EnterCriticalSection.KERNEL32 ref: 00007FF7A6567B43
LeaveCriticalSection.KERNEL32 ref: 00007FF7A6567B64

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
Instruction ID: b708f55047e0f51c36e30584866ba02cbbe157ab2ea0d7daa4adf57a81cb3e87
Opcode Fuzzy Hash: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
Instruction Fuzzy Hash: 5341D061A1AA4241EB11AB25DD40276A3A2EF05FF4F9A5335D97C476F8DF2CE081C760

Function 00007FF7A65508D0 Relevance: 2.6, APIs: 2, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF7A6550944

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
Instruction ID: f977d7fafe71108959f752b246369e64a737be4f95985bc44fd9ee746f911fe2
Opcode Fuzzy Hash: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
Instruction Fuzzy Hash: BA31E432A06B5181EA14EB16D80416BA3E4FB45FD0F858135EF5C17BA8DF38E5628350

Function 00007FF7A6582480 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FF7A6567A69), ref: 00007FF7A65824C4
LeaveCriticalSection.KERNEL32(?,?,?,00007FF7A6567A69), ref: 00007FF7A65824EE

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
Instruction ID: d81c02f626e91abf1bf4447aa73e4ec75fab54ece4058a3df7c0d4223ab6c2b3
Opcode Fuzzy Hash: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
Instruction Fuzzy Hash: 6B018031D0EA5250F720BB14FC842BBBB91AB90FA0FD75031E49D429B58E2CE881D7B0

Function 00007FF7A65516A0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF7A65516B6
VirtualFree.KERNELBASE ref: 00007FF7A65516CC

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
Instruction ID: 3a01d7faead93546314c0bc9644514ea056c071c3fe1ed2933ba028d67bf7a94
Opcode Fuzzy Hash: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
Instruction Fuzzy Hash: 39E0C234F1761186EB28A713AC466266653BF4AF00FC5D038C40E47374DE2DA51B8F20

Function 00007FF7A65E2890 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF7A65E27CF,?,?,00000030), ref: 00007FF7A65E28E2

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 803ee097a5861c941b8cfd7976f9223188b032406d6128dfb8400f5b6217b5c5
Instruction ID: 5fbcfbbb7120204652fd0591317dffce2220251f5f83179ee5377e5d3fcc9f59
Opcode Fuzzy Hash: 803ee097a5861c941b8cfd7976f9223188b032406d6128dfb8400f5b6217b5c5
Instruction Fuzzy Hash: E8219D16F4E20294FB14F662DC515FFA2906F54F54FA65035EE0D566ABDE3CE4828320

Function 00007FF7A65574AB Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF7A65574F5

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 3b1958921fa04c35c2a701cc9646c22b7e924147385864a8d091c62de11b65c9
Instruction ID: a226b890460ced27cb27d94c1114989007415d061d4b2f910dd74c07e38541eb
Opcode Fuzzy Hash: 3b1958921fa04c35c2a701cc9646c22b7e924147385864a8d091c62de11b65c9
Instruction Fuzzy Hash: 5E110563F1974182E6419A21D8046B69390EB89BB0F9A1331FEBC437DAEF2CE4428750

Function 00007FF7A6544930 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A654B6A0: GetCurrentThreadId.KERNEL32 ref: 00007FF7A654B6A4

Part of subcall function 00007FF7A654CA20: VirtualQuery.KERNEL32 ref: 00007FF7A654CA52

RaiseFailFastException.KERNEL32 ref: 00007FF7A65449B6

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
String ID:
API String ID: 2131581837-0
Opcode ID: d896b62f651088d1b42081c4ab7746b0ce5873f34015609dc32dcd43e3b187cf
Instruction ID: 3dca281b3dfd69ccf82c745be8640e2c0b42e6790dc914e80e5f4b9522aca3d0
Opcode Fuzzy Hash: d896b62f651088d1b42081c4ab7746b0ce5873f34015609dc32dcd43e3b187cf
Instruction Fuzzy Hash: 6C111F7250978242D624AF25F80919BF361FB45BB0F544335E6BE077E6DF38D1468700

Function 00007FF7A65456A0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF7A65456F1

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: e76a9a7bbbb96f3115f810c60743dc72ad2f91abc5fa222d7a1e73d8144a1f29
Instruction ID: 052d86b2853f8dcc28b43fc4b607e1517f49cbbe87273fcf8b502a48931cf755
Opcode Fuzzy Hash: e76a9a7bbbb96f3115f810c60743dc72ad2f91abc5fa222d7a1e73d8144a1f29
Instruction Fuzzy Hash: BAF08225F1AA8242E6007B21FE862BF93529F49FA0F965130EA1D077A7CE3CD0818B50

Function 00007FF7A65C4160 Relevance: 1.5, APIs: 1, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2df50b22f88e90d383fbc999c0b4c68a7662b2a9291df2bb10142457fbc865c
Instruction ID: 4295f8570ee75b5c3f77d98b2afad051f12f4146aa3280cfffea63ac8adf9047
Opcode Fuzzy Hash: b2df50b22f88e90d383fbc999c0b4c68a7662b2a9291df2bb10142457fbc865c
Instruction Fuzzy Hash: 3861B321F0A20249EB14FB66EC516FBA3626F94B84FD64035DE0D57BAADE3CD442C720

Function 00007FF7A6551770 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007FF7A655177A

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
Instruction ID: 5b23663ace4b5cbc679018fb1407349c00f0be1591b8a3766dedc53672727489
Opcode Fuzzy Hash: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
Instruction Fuzzy Hash: F4B01200F17441C2E3043723BC4330901167B06F02FC15064D608E1264CD1C85A50F10

Non-executed Functions

Function 00007FF7A6551A00 Relevance: 118.0, Strings: 94, Instructions: 546COMMON

Download Yara Rule

Strings

System.GC.RetainVM, xrefs: 00007FF7A6551AAA
GCCpuGroup, xrefs: 00007FF7A6551B8A
BGCSpinCount, xrefs: 00007FF7A6551C1C
BGCG2RatioStep, xrefs: 00007FF7A65521B9
BreakOnOOM, xrefs: 00007FF7A6551ACF
System.GC.HeapHardLimitSOH, xrefs: 00007FF7A65521D7
GCEnableSpecialRegions, xrefs: 00007FF7A6551EF7
GCTotalPhysicalMemory, xrefs: 00007FF7A6551E9D
System.GC.Name, xrefs: 00007FF7A6552304, 00007FF7A655231C
System.GC.HeapHardLimitPercent, xrefs: 00007FF7A6551E7B
GCHeapHardLimitPercent, xrefs: 00007FF7A6551E8A
System.GC.HeapAffinitizeRanges, xrefs: 00007FF7A6551D72, 00007FF7A6551D93
BGCFLEnableFF, xrefs: 00007FF7A655219B, 00007FF7A65522E3
NoAffinitize, xrefs: 00007FF7A6551B02
GCHeapHardLimitLOH, xrefs: 00007FF7A6552208
RetainVM, xrefs: 00007FF7A6551ABC
GCProvModeStress, xrefs: 00007FF7A6551DE1
GCHeapHardLimit, xrefs: 00007FF7A6551E68
HeapVerifyLevel, xrefs: 00007FF7A6551BC2
LatencyLevel, xrefs: 00007FF7A6551CF6
BGCFLEnableTBH, xrefs: 00007FF7A655217D
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF7A6552281
System.GC.HeapHardLimitLOH, xrefs: 00007FF7A65521F9
LatencyMode, xrefs: 00007FF7A6551CD8
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF7A655223D
CompactRatio, xrefs: 00007FF7A6551D32
HeapCount, xrefs: 00007FF7A6551C67
BGCMLki, xrefs: 00007FF7A6552105
System.GC.HighMemoryPercent, xrefs: 00007FF7A6551DBF
System.GC.DynamicAdaptationMode, xrefs: 00007FF7A655236C
LogFileSize, xrefs: 00007FF7A6551D14
GCHighMemPercent, xrefs: 00007FF7A6551DCE
BGCSpin, xrefs: 00007FF7A6551C3A
System.GC.HeapHardLimitPOH, xrefs: 00007FF7A655221B
LOHThreshold, xrefs: 00007FF7A6551BFE
BGCFLSweepGoalLOH, xrefs: 00007FF7A6552015
System.GC.HeapAffinitizeMask, xrefs: 00007FF7A6551D50
GCRegionSize, xrefs: 00007FF7A6551ED9
ConfigLogEnabled, xrefs: 00007FF7A6551B36
ConfigLogFile, xrefs: 00007FF7A6551F6F
GCGen1MaxBudget, xrefs: 00007FF7A6551E1D
System.GC.CpuGroup, xrefs: 00007FF7A6551B78
GCHeapHardLimitSOH, xrefs: 00007FF7A65521E6
BGCMemGoalSlack, xrefs: 00007FF7A6551FD9
ServerGC, xrefs: 00007FF7A6551A2A
ConcurrentGC, xrefs: 00007FF7A6551A55
BGCFLSweepGoal, xrefs: 00007FF7A6551FF7
BGCFLEnableKi, xrefs: 00007FF7A6552123
System.GC.NoAffinitize, xrefs: 00007FF7A6551AF0
Gen0Size, xrefs: 00007FF7A6551C9C
System.GC.Concurrent, xrefs: 00007FF7A6551A43
BGCFLkp, xrefs: 00007FF7A6552033
LogEnabled, xrefs: 00007FF7A6551B15
LOHCompactionMode, xrefs: 00007FF7A6551BE0
BGCMLkp, xrefs: 00007FF7A65520F2
GCLogFile, xrefs: 00007FF7A6551F1A
GCHeapHardLimitPOH, xrefs: 00007FF7A655222A
GCEnabledInstructionSets, xrefs: 00007FF7A65522A3
GCHeapHardLimitLOHPercent, xrefs: 00007FF7A6552271
BGCFLki, xrefs: 00007FF7A6552051
System.GC.ConserveMemory, xrefs: 00007FF7A65522C1
MaxHeapCount, xrefs: 00007FF7A6551C89
GCNumaAware, xrefs: 00007FF7A6551B57
GCConserveMem, xrefs: 00007FF7A65522D0
GCRegionRange, xrefs: 00007FF7A6551EBB
SegmentSize, xrefs: 00007FF7A6551CBA
System.GC.MaxHeapCount, xrefs: 00007FF7A6551C7A
BGCFLkd, xrefs: 00007FF7A655206F
System.GC.HeapCount, xrefs: 00007FF7A6551C58
GCLowSkipRatio, xrefs: 00007FF7A6551E3B
BGCFLTuningEnabled, xrefs: 00007FF7A6551F9D
BGCFLff, xrefs: 00007FF7A655208D
System.GC.LargePages, xrefs: 00007FF7A6551BA8
BGCMemGoal, xrefs: 00007FF7A6551FBB
BGCFLEnableSmooth, xrefs: 00007FF7A655215F
GCHeapHardLimitPOHPercent, xrefs: 00007FF7A6552290
System.GC.HeapHardLimit, xrefs: 00007FF7A6551E59
BGCFLGradualD, xrefs: 00007FF7A65520C9
GCLargePages, xrefs: 00007FF7A6551BB2
BGCFLEnableKd, xrefs: 00007FF7A6552141
GCConfigLogFile, xrefs: 00007FF7A6551F5E
GCGen0MaxBudget, xrefs: 00007FF7A6551DFF
GCHeapAffinitizeMask, xrefs: 00007FF7A6551D5F
GCSpinCountUnit, xrefs: 00007FF7A655234E
GCHeapAffinitizeRanges, xrefs: 00007FF7A6551D7E, 00007FF7A6551D9F
GCName, xrefs: 00007FF7A655230B, 00007FF7A655232E
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF7A6552267
BGCFLSmoothFactor, xrefs: 00007FF7A65520AB
GCHeapHardLimitSOHPercent, xrefs: 00007FF7A655224C
ForceCompact, xrefs: 00007FF7A6551A89
System.GC.Server, xrefs: 00007FF7A6551A1B
GCDynamicAdaptationMode, xrefs: 00007FF7A655237B
LogFile, xrefs: 00007FF7A6551F2B
ConservativeGC, xrefs: 00007FF7A6551A68

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
API String ID: 0-799405152
Opcode ID: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
Instruction ID: 825cd39bec586149b13578a0fac4cfbf033657d283437e489071a2f630576807
Opcode Fuzzy Hash: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
Instruction Fuzzy Hash: 6D424F75609A9641EB60AB55FC10AAAE766FF55FC8FC26132D98C07B34DF3CD2018B14

Function 00007FF7A6552750 Relevance: 109.2, Strings: 87, Instructions: 472COMMON

Download Yara Rule

Strings

System.GC.RetainVM, xrefs: 00007FF7A65527FF
gcServer, xrefs: 00007FF7A6552762
GCCpuGroup, xrefs: 00007FF7A6552900
BGCSpinCount, xrefs: 00007FF7A65529CD
BGCG2RatioStep, xrefs: 00007FF7A6553053
System.GC.HeapHardLimitSOH, xrefs: 00007FF7A655307C
GCEnableSpecialRegions, xrefs: 00007FF7A6552D48
GCTotalPhysicalMemory, xrefs: 00007FF7A6552CCD
GCLOHThreshold, xrefs: 00007FF7A65529A4
System.GC.HeapHardLimitPercent, xrefs: 00007FF7A6552C9F
GCHeapHardLimitPercent, xrefs: 00007FF7A6552CA6
BGCFLEnableFF, xrefs: 00007FF7A655302A
GCHeapHardLimitLOH, xrefs: 00007FF7A65530B1
GCProvModeStress, xrefs: 00007FF7A6552BCD
GCHeapHardLimit, xrefs: 00007FF7A6552C78
BGCFLEnableTBH, xrefs: 00007FF7A6553001
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF7A6553162
System.GC.HeapHardLimitLOH, xrefs: 00007FF7A65530AA
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF7A6553106
GCWriteBarrier, xrefs: 00007FF7A65531E7
BGCMLki, xrefs: 00007FF7A6552F5D
System.GC.HighMemoryPercent, xrefs: 00007FF7A6552B9F
System.GC.DynamicAdaptationMode, xrefs: 00007FF7A6553239
GCHighMemPercent, xrefs: 00007FF7A6552BA6
BGCSpin, xrefs: 00007FF7A65529F6
System.GC.HeapHardLimitPOH, xrefs: 00007FF7A65530DF
BGCFLSweepGoalLOH, xrefs: 00007FF7A6552E15
System.GC.HeapAffinitizeMask, xrefs: 00007FF7A6552B71
GCRegionSize, xrefs: 00007FF7A6552D28
GCGen1MaxBudget, xrefs: 00007FF7A6552C1F
System.GC.CpuGroup, xrefs: 00007FF7A65528F9
GCHeapHardLimitSOH, xrefs: 00007FF7A6553083
BGCMemGoalSlack, xrefs: 00007FF7A6552DC3
GCLatencyMode, xrefs: 00007FF7A6552ACD
BGCFLSweepGoal, xrefs: 00007FF7A6552DEC
BGCFLEnableKi, xrefs: 00007FF7A6552F86
System.GC.NoAffinitize, xrefs: 00007FF7A6552854
System.GC.Concurrent, xrefs: 00007FF7A6552782
gcConcurrent, xrefs: 00007FF7A6552789
BGCFLkp, xrefs: 00007FF7A6552E3E
GCNoAffinitize, xrefs: 00007FF7A655285B
BGCMLkp, xrefs: 00007FF7A6552F34
GCConserveMemory, xrefs: 00007FF7A65531C0
GCHeapHardLimitPOH, xrefs: 00007FF7A65530E6
GCEnabledInstructionSets, xrefs: 00007FF7A6553190
GCHeapCount, xrefs: 00007FF7A6552A26
GCHeapHardLimitLOHPercent, xrefs: 00007FF7A655313B
BGCFLki, xrefs: 00007FF7A6552E67
System.GC.ConserveMemory, xrefs: 00007FF7A65531B9
GCRetainVM, xrefs: 00007FF7A6552806
GCNumaAware, xrefs: 00007FF7A65528D1
GCRegionRange, xrefs: 00007FF7A6552CF6
GCCompactRatio, xrefs: 00007FF7A6552B48
System.GC.MaxHeapCount, xrefs: 00007FF7A6552A4D
BGCFLkd, xrefs: 00007FF7A6552E90
gcConservative, xrefs: 00007FF7A65527AF
System.GC.HeapCount, xrefs: 00007FF7A6552A1F
GCLowSkipRatio, xrefs: 00007FF7A6552C48
BGCFLTuningEnabled, xrefs: 00007FF7A6552D71
BGCFLff, xrefs: 00007FF7A6552EB9
System.GC.LargePages, xrefs: 00007FF7A6552926
BGCMemGoal, xrefs: 00007FF7A6552D9A
GCLatencyLevel, xrefs: 00007FF7A6552AF6
GCBreakOnOOM, xrefs: 00007FF7A655282C
BGCFLEnableSmooth, xrefs: 00007FF7A6552FD8
GCHeapHardLimitPOHPercent, xrefs: 00007FF7A6553169
System.GC.HeapHardLimit, xrefs: 00007FF7A6552C71
BGCFLGradualD, xrefs: 00007FF7A6552F0B
GCLargePages, xrefs: 00007FF7A655292D
BGCFLEnableKd, xrefs: 00007FF7A6552FAF
GCMaxHeapCount, xrefs: 00007FF7A6552A54
GCLogFileSize, xrefs: 00007FF7A6552B28
GCGen0MaxBudget, xrefs: 00007FF7A6552BF6
GCHeapAffinitizeMask, xrefs: 00007FF7A6552B78
GCLogEnabled, xrefs: 00007FF7A6552881
GCLOHCompact, xrefs: 00007FF7A655297B
GCSpinCountUnit, xrefs: 00007FF7A6553210
HeapVerify, xrefs: 00007FF7A6552953
GCSegmentSize, xrefs: 00007FF7A6552AA4
gcForceCompact, xrefs: 00007FF7A65527D7
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF7A6553134
BGCFLSmoothFactor, xrefs: 00007FF7A6552EEB
GCConfigLogEnabled, xrefs: 00007FF7A65528A9
GCHeapHardLimitSOHPercent, xrefs: 00007FF7A655310D
System.GC.Server, xrefs: 00007FF7A655275B
GCDynamicAdaptationMode, xrefs: 00007FF7A6553240
GCgen0size, xrefs: 00007FF7A6552A7B

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: strcmp
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
API String ID: 1004003707-1294421646
Opcode ID: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
Instruction ID: bf3fb726c49d9202fbdbd71e179c306daf34a7364be6d6e360a3a5a021bfaa0f
Opcode Fuzzy Hash: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
Instruction Fuzzy Hash: 6162C764D1BF4794EB90FB56AC440B3EB62AF55B44BCA607AC04D47272EE3CE1198B70

Function 00007FF7A6581200 Relevance: 21.8, APIs: 14, Instructions: 792COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF7A6581580
DebugBreak.KERNEL32 ref: 00007FF7A6581598
DebugBreak.KERNEL32 ref: 00007FF7A6581647
DebugBreak.KERNEL32 ref: 00007FF7A6581685
DebugBreak.KERNEL32 ref: 00007FF7A65816D5
DebugBreak.KERNEL32 ref: 00007FF7A6581726
DebugBreak.KERNEL32 ref: 00007FF7A658178B
DebugBreak.KERNEL32 ref: 00007FF7A65817E1
DebugBreak.KERNEL32 ref: 00007FF7A6581A18
DebugBreak.KERNEL32 ref: 00007FF7A6581B09
DebugBreak.KERNEL32 ref: 00007FF7A6581B8B
DebugBreak.KERNEL32 ref: 00007FF7A6581BC4
DebugBreak.KERNEL32 ref: 00007FF7A6581BF8
DebugBreak.KERNEL32 ref: 00007FF7A6581CD7

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
Instruction ID: 93da1530bca784306a3f98a5ad44335bf3e8006427fad4cfd438010abf5e4406
Opcode Fuzzy Hash: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
Instruction Fuzzy Hash: 0072B022E0AA4342EB60AB15D8403BAE7A1FF45F95F8A5135CE5D07BB5DF2CE440D7A0

Function 00007FF7A6551830 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7A655186C
GetCurrentProcess.KERNEL32 ref: 00007FF7A6551894
OpenProcessToken.ADVAPI32 ref: 00007FF7A65518A7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7A65518CC
GetLastError.KERNEL32 ref: 00007FF7A65518D4
CloseHandle.KERNEL32 ref: 00007FF7A65518E1
GetLargePageMinimum.KERNEL32 ref: 00007FF7A65518F6
VirtualAlloc.KERNEL32 ref: 00007FF7A6551927
GetCurrentProcess.KERNEL32 ref: 00007FF7A6551933
VirtualAllocExNuma.KERNEL32 ref: 00007FF7A6551953

Strings

SeLockMemoryPrivilege, xrefs: 00007FF7A6551865

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
String ID: SeLockMemoryPrivilege
API String ID: 1752251271-475654710
Opcode ID: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
Instruction ID: b5e3097f3126458713a5c4c7b0f4fe5de796796ce905d1acad10d24a001d609c
Opcode Fuzzy Hash: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
Instruction Fuzzy Hash: DF31B831A1EB4285F760AB61FC0937BABA2EF44F84F815035E94E07768DE3CD4488B60

Function 00007FF7A655EFE0 Relevance: 13.4, APIs: 5, Strings: 2, Instructions: 1181threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF7A655F687
SwitchToThread.KERNEL32 ref: 00007FF7A655F7F0
SwitchToThread.KERNEL32 ref: 00007FF7A655F7F9
SwitchToThread.KERNEL32 ref: 00007FF7A655F823

Part of subcall function 00007FF7A6551630: QueryPerformanceCounter.KERNEL32 ref: 00007FF7A6551639

DebugBreak.KERNEL32 ref: 00007FF7A655F95E

Strings

GCHeap::Promote: Promote GC Root *%p = %p MT = %pT, xrefs: 00007FF7A655FB15
Concurrent GC: Restarting EE, xrefs: 00007FF7A655F66A

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: SwitchThread$BreakCounterDebugPerformanceQuery
String ID: GCHeap::Promote: Promote GC Root *%p = %p MT = %pT$Concurrent GC: Restarting EE
API String ID: 30421299-2108734148
Opcode ID: 6615c7b4db84cdefcc6dfb6fb544c900babefb5ec8c8e420ffc49294f2f83981
Instruction ID: dd33ff57edf0f996ba91611891e4b20cff0e039d2e3b9607678b27d304f794b8
Opcode Fuzzy Hash: 6615c7b4db84cdefcc6dfb6fb544c900babefb5ec8c8e420ffc49294f2f83981
Instruction Fuzzy Hash: 57C2D061A0BB4281FB51AB65ED48377A3A2AF44F84F9A5235E94D037B5DF3CE441CB20

Function 00007FF7A6561520 Relevance: 13.1, APIs: 8, Instructions: 1052threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF7A6562074
DebugBreak.KERNEL32 ref: 00007FF7A6562087
SwitchToThread.KERNEL32 ref: 00007FF7A6562238
SwitchToThread.KERNEL32 ref: 00007FF7A6562262
SwitchToThread.KERNEL32 ref: 00007FF7A65622EE
SwitchToThread.KERNEL32 ref: 00007FF7A656248C
SwitchToThread.KERNEL32 ref: 00007FF7A6562495
SwitchToThread.KERNEL32 ref: 00007FF7A65624BF

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: SwitchThread$BreakDebug
String ID:
API String ID: 223621376-0
Opcode ID: beb2e0b6b3b2c051ba7bb93b1c7d8e203ffb364ae3d9539f13bd58a074cd23d5
Instruction ID: 547d45af7220ee3a76d34ce0a81ca7bdd7a3ac0244c1774fa6c4f80c44c9530a
Opcode Fuzzy Hash: beb2e0b6b3b2c051ba7bb93b1c7d8e203ffb364ae3d9539f13bd58a074cd23d5
Instruction Fuzzy Hash: 23B29C35E0AA4285EB60AB29DC40376E7A2AF45F94F9A1235D95D437B0DF3CE840C721

Function 00007FF7A657F960 Relevance: 10.9, APIs: 7, Instructions: 416COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A657D0E0: EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF7A657AE19,?,?,?,00007FF7A656CA43), ref: 00007FF7A657D139
Part of subcall function 00007FF7A657D0E0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF7A657AE19,?,?,?,00007FF7A656CA43), ref: 00007FF7A657D14F

DebugBreak.KERNEL32 ref: 00007FF7A657FE1E
DebugBreak.KERNEL32 ref: 00007FF7A657FE36
DebugBreak.KERNEL32 ref: 00007FF7A657FE4E
DebugBreak.KERNEL32 ref: 00007FF7A657FE6C
DebugBreak.KERNEL32 ref: 00007FF7A657FE8C
DebugBreak.KERNEL32 ref: 00007FF7A657FEA0
DebugBreak.KERNEL32 ref: 00007FF7A657FF51

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakDebug$CriticalSection$EnterLeave
String ID:
API String ID: 3888577265-0
Opcode ID: d86f80d7bffd3d43e5ca74b6d9e1eaf02e16cc952f2289a23396a127ac85969b
Instruction ID: bcfc75f624905953eb768d85000a49230a1a3db486b776ba29dd9259493c7e76
Opcode Fuzzy Hash: d86f80d7bffd3d43e5ca74b6d9e1eaf02e16cc952f2289a23396a127ac85969b
Instruction Fuzzy Hash: BC129C22A1BB4681EB50EB91E84037BE3A1BF84F84F965935D94D037B5DF3CE540CA20

Function 00007FF7A657A7B0 Relevance: 10.9, APIs: 7, Instructions: 376COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF7A65792AB), ref: 00007FF7A657A909
EnterCriticalSection.KERNEL32 ref: 00007FF7A657AC36
LeaveCriticalSection.KERNEL32 ref: 00007FF7A657AC50
DebugBreak.KERNEL32 ref: 00007FF7A657ACFD
DebugBreak.KERNEL32 ref: 00007FF7A657AD1A
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF7A65792AB), ref: 00007FF7A657AD35
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF7A65792AB), ref: 00007FF7A657AD4E

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakDebug$CriticalSection$EnterLeave
String ID:
API String ID: 3888577265-0
Opcode ID: c44e6f749cf51194d18055909887b503eb6a2aff37391a8996bb50217290c366
Instruction ID: acd858f7ce8484a9e4bf3aa46e826682b449a405cbcd4f46bfeb8f77daaabeb9
Opcode Fuzzy Hash: c44e6f749cf51194d18055909887b503eb6a2aff37391a8996bb50217290c366
Instruction Fuzzy Hash: 5F02AF72A0AB8286EB51AF25D84027AB7A1FF44F84F865535CA4D037B1DF3CE591CB20

Function 00007FF7A6546A50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7A65473A0), ref: 00007FF7A6546B07
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7A65473A0), ref: 00007FF7A6546C51
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7A65473A0), ref: 00007FF7A6546D33
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7A65473A0), ref: 00007FF7A6546D49
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7A65473A0), ref: 00007FF7A6546DBE

Strings

[ KeepUnwinding ], xrefs: 00007FF7A6546D5D

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: [ KeepUnwinding ]
API String ID: 2546344036-400895726
Opcode ID: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
Instruction ID: d0f54a9fc08243989b430b6d23d7fdea35ba7077012cbcb59736ff3274a9a7df
Opcode Fuzzy Hash: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
Instruction Fuzzy Hash: 04B1843260AB4285EB949F25D8493AA73A6FF44F48FA94176CE4D073A8CF39E455C320

Function 00007FF7A65AB27C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7A65AB2A8
GetCurrentThreadId.KERNEL32 ref: 00007FF7A65AB2B6
GetCurrentProcessId.KERNEL32 ref: 00007FF7A65AB2C2
QueryPerformanceCounter.KERNEL32 ref: 00007FF7A65AB2D2

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
Instruction ID: 4b6ac3c1f31112f5bc7a2f84ebc1d202effc4f0e4df83fa6cd849d31664bcc2b
Opcode Fuzzy Hash: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
Instruction Fuzzy Hash: 79119A22B15F018AEB00DF61EC552B973A4FB19B18F811E31EEAD827A8DF38D1548750

Function 00007FF7A657D320 Relevance: 3.3, APIs: 2, Instructions: 326threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF7A657D465
SwitchToThread.KERNEL32 ref: 00007FF7A657D495

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: ddf5a7c59728b91961856a1f3de8d77b860fc2794b24d806c874d2325e124f05
Instruction ID: bdf643a40eaf903aaed4867f5bfa9de2e1e519aae281a301c86777fbd9fad69f
Opcode Fuzzy Hash: ddf5a7c59728b91961856a1f3de8d77b860fc2794b24d806c874d2325e124f05
Instruction Fuzzy Hash: 45D1B332A0AA8585DB60AB15D84077BF3A1FB84F94F864A31DA9D437A4DF7CE540CF20

Function 00007FF7A656B6B0 Relevance: 3.3, APIs: 2, Instructions: 303COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF7A656B9D2
DebugBreak.KERNEL32 ref: 00007FF7A656B9E3

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 24780f21546bd015505d40b07dff922e5db3dc92a0b137180c1451863a2d226f
Instruction ID: 76333c5e4ddf967de9d162f8d3083d0c73062f02e68d8115abb451bc2c04b6ad
Opcode Fuzzy Hash: 24780f21546bd015505d40b07dff922e5db3dc92a0b137180c1451863a2d226f
Instruction Fuzzy Hash: B7E1E276A0AB4686EB10AF19DC4427AB7A6FB00F94F9A1235D91D037B4DF3CE491C720

Function 00007FF7A6584A40 Relevance: 3.2, APIs: 2, Instructions: 171COMMON

Download Yara Rule

APIs

FlushProcessWriteBuffers.KERNEL32 ref: 00007FF7A6584A78
FlushProcessWriteBuffers.KERNEL32 ref: 00007FF7A6584C8D

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BuffersFlushProcessWrite
String ID:
API String ID: 2982998374-0
Opcode ID: 79d0f43756a16d64338861bbba21ee80fd32cc7b8ee7bde5ac8cae3f237e486d
Instruction ID: d9281b7f3bb2a388eb460e800d587bc74816bc5c12b912b0ec6ab8eeeadb6b51
Opcode Fuzzy Hash: 79d0f43756a16d64338861bbba21ee80fd32cc7b8ee7bde5ac8cae3f237e486d
Instruction Fuzzy Hash: FB51FC92B067C142EE61AA74E8003BBDA95EB51FC1F9A8131DE5D47FE2DE3CD9449310

Function 00007FF7A6550470 Relevance: 3.2, APIs: 2, Instructions: 162COMMON

Download Yara Rule

APIs

GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7A6544896,?,?,?,?,?,?,00007FF7A6541EA0), ref: 00007FF7A6550531
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7A6544896,?,?,?,?,?,?,00007FF7A6541EA0), ref: 00007FF7A6550590

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: EnabledFeaturesState
String ID:
API String ID: 1557480591-0
Opcode ID: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
Instruction ID: 4743ff9b7ef7d1944b7990863d5d849b7d4f7e57fd98db529cf5b264710ed307
Opcode Fuzzy Hash: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
Instruction Fuzzy Hash: 4F51CF32E0A31706FF685499D89D33B82C39BD5B54FC74538E96E532E9CD7ED8824224

Function 00007FF7A6548220 Relevance: 2.1, Strings: 1, Instructions: 834COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF7A65482EE

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction ID: 3f1aca660ba15cf224bb04a13fdb1835bf788af7c9fadb9b58ad86ec09da1825
Opcode Fuzzy Hash: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction Fuzzy Hash: 2E62C6B3A16B0587E70C9F29C85976E76A2FB94F88F568136CA1D43798DF38D910C780

Function 00007FF7A656FDD0 Relevance: 1.9, APIs: 1, Instructions: 439COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A6550C50: CreateEventW.KERNEL32 ref: 00007FF7A6550C91

Part of subcall function 00007FF7A6551630: QueryPerformanceCounter.KERNEL32 ref: 00007FF7A6551639

DebugBreak.KERNEL32 ref: 00007FF7A657058A

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakCounterCreateDebugEventPerformanceQuery
String ID:
API String ID: 4239280443-0
Opcode ID: 5491d3f8da2e797241490e3cda2db23de3b51a53647b4561e21f0ad4d068944b
Instruction ID: 3ea0d635c79f00d5aa84a33ebd0420f9a40cb52ca13976c29a6f6affa115c90f
Opcode Fuzzy Hash: 5491d3f8da2e797241490e3cda2db23de3b51a53647b4561e21f0ad4d068944b
Instruction Fuzzy Hash: 7E422971D0AF8285E700AB25FC94276B3A6FF58B44F926239D98C12775DF3CA190DB60

Function 00007FF7A6607BA0 Relevance: 1.8, APIs: 1, Instructions: 347COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FF7A6607E0D

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: d7ae4015b6747c4f2a88c3bcd0e3919ab44728c05b91e0697f58cdc10b5d3ecf
Instruction ID: 348ce34b9239d0ff2d255d1d83b854ab73ed6fedb4dfa67df5a07d4c8b908c07
Opcode Fuzzy Hash: d7ae4015b6747c4f2a88c3bcd0e3919ab44728c05b91e0697f58cdc10b5d3ecf
Instruction Fuzzy Hash: FAD1A532E0A64685E715BB21CC446BEA7A2BB40F89F979435DE0D476A1DF3CE841CB60

Function 00007FF7A65735C0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7A6573B1C

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
Instruction ID: fa7f08c4b5e261a660f74c7e911161d53f4a3c2d7e09d13fe47b6be873f55847
Opcode Fuzzy Hash: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
Instruction Fuzzy Hash: E242A572A1AE8686EB10AB15EC4067AB761FF14FA0F865635C96D537B0CF3CE550CB20

Function 00007FF7A6569A50 Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}, xrefs: 00007FF7A656A256

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID: ========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}
API String ID: 0-2256439813
Opcode ID: 7bd6a443cfe3054721747132375e6f82add6f116c3b8a460bf02874ed9b0fa60
Instruction ID: e091d32f280ec2a2bd8d0d3005b0008d1aa577d13ea154987d2b7973e54cff77
Opcode Fuzzy Hash: 7bd6a443cfe3054721747132375e6f82add6f116c3b8a460bf02874ed9b0fa60
Instruction Fuzzy Hash: 12428D31A0AE828AEB15AB19DC5036AB3A2FF45F44F9A5135CA4D03771DF3DE452CB60

Function 00007FF7A655E8A0 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF7A655E8EB

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: c36884137a1fbdc5629651c62ab30761a03d17dd0682946ebc7bc0764feb72a2
Instruction ID: cfb5f59533e577ae6fed82037c70f8c913a85b077e38a85db3dbedcfa366e740
Opcode Fuzzy Hash: c36884137a1fbdc5629651c62ab30761a03d17dd0682946ebc7bc0764feb72a2
Instruction Fuzzy Hash: 8F12C632A1AA4282EB10EB16E84877BF365FB45F94F964235EA5D437A8DF3CE441C710

Function 00007FF7A65644D0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7A6564713

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-3916222277
Opcode ID: 0f497518f3011c90386f56ae0dd19987edc3a4fef3325d72aee3a22fc2e24883
Instruction ID: 56ac9a5464050496293f1123ebfc7633aaaeae0eaa186c76bbeda913d493dc50
Opcode Fuzzy Hash: 0f497518f3011c90386f56ae0dd19987edc3a4fef3325d72aee3a22fc2e24883
Instruction Fuzzy Hash: A7D1E765A0AA4181EB10AB15E85027BF395FB41FA4F998331DA6D137F4EF3CE451C760

Function 00007FF7A65D9080 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF7A65D90F0

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
Instruction ID: fc2962ee150f8da669bb7324569f999e147f3a590b4569c6ca9028f7f39e12e9
Opcode Fuzzy Hash: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
Instruction Fuzzy Hash: DD015A33F016609DF720EBA1EC40AEE77B5BB4875CFA1402ADE0CA2A58DF349496C710

Function 00007FF7A6556A50 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

HB, xrefs: 00007FF7A6556D68

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID: HB
API String ID: 0-654769311
Opcode ID: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
Instruction ID: 0061eec9c09b9f00b02498958593c8b30fb1d4b2f1f30077e506ca4b5f992656
Opcode Fuzzy Hash: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
Instruction Fuzzy Hash: 55C15B32A0BA8692E760AF14EC482BBA3E1FF45B48F961535E94E47675DF3CE440C720

Function 00007FF7A6549430 Relevance: 1.0, Instructions: 971COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa54e4b404b83b64a3ef684d3fa7d9e7b579a293c5d3786dac23140140fd01d
Instruction ID: afa0294864241fac21778e50051f6d2543211f9bb39768cf04014e83ade2244d
Opcode Fuzzy Hash: 3fa54e4b404b83b64a3ef684d3fa7d9e7b579a293c5d3786dac23140140fd01d
Instruction Fuzzy Hash: BA8203B2B0978187EB149B15D9853AEB7A2FB84B80F658135DB4E03BA4DF3DE560C740

Function 00007FF7A6574390 Relevance: 1.0, Instructions: 955COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44773253abac8336c1d72ee043a06f130369fffe4656ea49cf70b632554c591
Instruction ID: 9e9fd0ef3a3ad128ae4bfb0f36b023477a2f399601c605e83f5cc288d6f1a5aa
Opcode Fuzzy Hash: c44773253abac8336c1d72ee043a06f130369fffe4656ea49cf70b632554c591
Instruction Fuzzy Hash: 6792FE61A1BA4685EB00AF25EC106B6E392BF45FC4FCA5636D90E537B0DF3CE5418B20

Function 00007FF7A65792CE Relevance: .8, Instructions: 844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e24ba0ba6bef78217b93cc1824f39f4ffccc09ca148982d560d43c4ab6c4d9
Instruction ID: a7fa61d84ec15558a98bd0550d0e9d89f16b8fc0699535e5298572041fa62122
Opcode Fuzzy Hash: f1e24ba0ba6bef78217b93cc1824f39f4ffccc09ca148982d560d43c4ab6c4d9
Instruction Fuzzy Hash: CA82CF71A0AA4289EB10AF25EC4427AA3A6FF44F84F965636D90D037B0DF3DE551CB70

Function 00007FF7A65788D9 Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f905b1f908e65b5aba95cf85111788d4451240a2511b24a2e32d8eb1b4069d57
Instruction ID: a4a129a40bdbee25e5d6b50c12c5f887fade6911f7c1eef4580d3628df637d92
Opcode Fuzzy Hash: f905b1f908e65b5aba95cf85111788d4451240a2511b24a2e32d8eb1b4069d57
Instruction Fuzzy Hash: 5482EF32B0AB8186EB10AF65E84427AB7A5FB44F98F960535DE4D53BA4CF3CE541CB10

Function 00007FF7A6565200 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5feb339442a0b79f58c974cad3d97fda4eb93d98ba6868e8e29d5f65b0f64f
Instruction ID: 8a048f1be871237c1db1a25c9da328bf1528524d1a8d2d70e1b72f8fc9cbccd1
Opcode Fuzzy Hash: bf5feb339442a0b79f58c974cad3d97fda4eb93d98ba6868e8e29d5f65b0f64f
Instruction Fuzzy Hash: 2A5283B6A57B9681EE659B18C84437AA7A0FF14FA4F999235CF6C033E0DF6CD490C211

Function 00007FF7A65752E0 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
Instruction ID: 85e00888fa6bee475017d0fda71e00efd4c365aa8ae89fcd336230e6210c388d
Opcode Fuzzy Hash: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
Instruction Fuzzy Hash: 6342B072B1AB4586EB109F65E84016EB3A1FB44F98F851931DF4E17BA8CE3CE551CB20

Function 00007FF7A6575C20 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
Instruction ID: df891dc529ea8ef274733ffbedc7885b413cb25c14cde2402ef078d373de82b2
Opcode Fuzzy Hash: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
Instruction Fuzzy Hash: 7242D872F0AB4589EB10DF65D8001BEA3A2FF04F88B854936DE0D277A4DE38E555C760

Function 00007FF7A657BEA0 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456757d216aacf14f41c1d1ac0cd8049a835610a21c3933073f91090c7e01898
Instruction ID: ba327baf22d90d062d80d5610c6810bad2246dd131b35898bd0cdbfa961d7a49
Opcode Fuzzy Hash: 456757d216aacf14f41c1d1ac0cd8049a835610a21c3933073f91090c7e01898
Instruction Fuzzy Hash: 3142E362B0AA5A86EB50EF08EC4066AB761FB41FD0FC65535DA4D477A8CF3CE544CB10

Function 00007FF7A6562D30 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
Instruction ID: 3efba234c09e8ae78be735f6ca6d9f84231e73bd7f180ee5fb96301aca4be2e1
Opcode Fuzzy Hash: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
Instruction Fuzzy Hash: BF221422A1AFC549D607AB35E8413B6E395AF56BC4F999332ED4F22771DF2DA042C310

Function 00007FF7A66100E0 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10a91a420f83ef269157d36f9a2c016ddaa9393997882352c17c1d84d133b48
Instruction ID: de5e9053e8c60c83e899192ac0263f67f9062f86b34f2ef11ed77f534fbb0800
Opcode Fuzzy Hash: e10a91a420f83ef269157d36f9a2c016ddaa9393997882352c17c1d84d133b48
Instruction Fuzzy Hash: 6002BE72B05A518AEB10EF25D8806AD7371FB98F98F52A122DE5D53B65CF34D8C1CB40

Function 00007FF7A657B4F0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-0
Opcode ID: af019d92b74d7be67137a52f9c77fda3c993f8b49f31bc8590fea9e3453cb08d
Instruction ID: 036a595636469f2ac81d907f3ee3fbacc932494a7202a0525aa62cc324b92475
Opcode Fuzzy Hash: af019d92b74d7be67137a52f9c77fda3c993f8b49f31bc8590fea9e3453cb08d
Instruction Fuzzy Hash: B40215A2B06A4586EB10AF19E8003BAF7A1FB45FA4F865635D92D477E4DF3CE141CB10

Function 00007FF7A6560360 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68f8225f78dbd7e70b131091e98211d99f4f2d9e2b5582c38477461e06b5bdc
Instruction ID: cdf571808749a8a2ea1430e3d80d3ec38f2e3398f011b45b4e2924cd643411da
Opcode Fuzzy Hash: b68f8225f78dbd7e70b131091e98211d99f4f2d9e2b5582c38477461e06b5bdc
Instruction Fuzzy Hash: 0802E376A16A4586EB50EF19D94467AB3A1EB40FA4F8A5331CA7D437F0CE3CE441C721

Function 00007FF7A6568200 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ac5e8acc702e800c044c972fee63d3d4d5d63e4fdd02a0179034e1d588b70a
Instruction ID: 9fc1ef909641905e7564d0c737038178ec49c1c46fc69e828bcdc9aca4cfcdd2
Opcode Fuzzy Hash: 02ac5e8acc702e800c044c972fee63d3d4d5d63e4fdd02a0179034e1d588b70a
Instruction Fuzzy Hash: 23F15C21F2AB4D41E916963799013B6D6426F6ABC4E5DDB32E94D32770EF3CB081C721

Function 00007FF7A6572370 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: bdf8833cee21c139ef57a5bee3b8c50e71db7ac1327d835877ec4aba224b51aa
Instruction ID: 8597065f752853103a7cf6e214d1c52c81f66ee95c9ee5d09ccf908595f3925e
Opcode Fuzzy Hash: bdf8833cee21c139ef57a5bee3b8c50e71db7ac1327d835877ec4aba224b51aa
Instruction Fuzzy Hash: 0202B571E0EA4686F715AB29EC40237E6A3AF55F40F965A36C44D13A70DF3CB681CE20

Function 00007FF7A65791B0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323b4a52389b31af78a198108c136ecd75e8293e50210e2468e6e8b2983b1f89
Instruction ID: d16b431237bc80995460f6acf11dfcfa8cf50a4aeaec2ccfa525c161ccf3a7d9
Opcode Fuzzy Hash: 323b4a52389b31af78a198108c136ecd75e8293e50210e2468e6e8b2983b1f89
Instruction Fuzzy Hash: 54E11872A0A64586EB11AB25EC4867BB7A6FB45F94F964631CD1E037B0CF3CE541CB20

Function 00007FF7A6564CD9 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78bf327fc7d401db98ee101711161cfb4b90b568116cb42030e1b04918fb35b
Instruction ID: 0c6194331088df0b4cc1c7b064cb87947b4186f057bb501af7f4b6f0f2fc110e
Opcode Fuzzy Hash: d78bf327fc7d401db98ee101711161cfb4b90b568116cb42030e1b04918fb35b
Instruction Fuzzy Hash: 39D1E566B1AB8681EB109F25D84427AA361FB55FA4F8A9331CA6D077E4DF3CE441C311

Function 00007FF7A65799C3 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12337283fe58a1ae982f19855bdc68314bb18f96eaedbf97d3c33e1d47e9e1d
Instruction ID: 55bd32d2dccc9aeaf9fbd2700cc83fc4a48a9ff20632d1773a2b99108a665068
Opcode Fuzzy Hash: b12337283fe58a1ae982f19855bdc68314bb18f96eaedbf97d3c33e1d47e9e1d
Instruction Fuzzy Hash: 8FD1DF61A0AA4289EB00AF25DC442BAA3A2FF44F94F865636CD1D077B4DF3DE551CB70

Function 00007FF7A65667F0 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
Instruction ID: 5f85c341a314bc846523de4e2794b065836797e391e10e69848545f3ccb08872
Opcode Fuzzy Hash: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
Instruction Fuzzy Hash: 73E17F7AA0AE4681EB10AF15D84437AA3A1FF04F98F8A1635DA5C077B8DF3CE450C761

Function 00007FF7A6577C79 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d7dac9d533b3180a345ae923d8f6c9575024258e8af4de554390141a09baf3
Instruction ID: bbd066c7b20499297bd2c7bb66984092e5af87f8f0918ca5d4aded76604616ed
Opcode Fuzzy Hash: 20d7dac9d533b3180a345ae923d8f6c9575024258e8af4de554390141a09baf3
Instruction Fuzzy Hash: 5EC1E332A0AB4686EB16AB25EC4857BB7A6FB44F84F964536C90D13770DF3CE541CB20

Function 00007FF7A656A420 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
Instruction ID: b2630196f698c6cbf15bc152a07ca60a1ebffe75ed258358bdcc04ce9d6fcc85
Opcode Fuzzy Hash: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
Instruction Fuzzy Hash: EDC1A435A0AA4682EB40AB09EC4453AF7A6FF44FA4F8A5235C96D437B4CF3CE451D721

Function 00007FF7A65F3480 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
Instruction ID: 38e476c9f6e97d358f26e761a290f9ebf6711ea9d9c32899f08459c8e8bb6f56
Opcode Fuzzy Hash: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
Instruction Fuzzy Hash: 7AA19363A0E25185F759AB12ED1037BE791EB80F95F824031EE8E077A4EB7CE481DB50

Function 00007FF7A6573F60 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
Instruction ID: 871855b38e48cf7e667365bb31afcdf31bf70c514279ae9d0300f025b84390ed
Opcode Fuzzy Hash: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
Instruction Fuzzy Hash: 2EC17131A1AE4682E740AB09EC4017AB7A6FB45FA0F865635D96D477F0CF3CE560CB20

Function 00007FF7A657F280 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8839e0e3ad3752fbee51db35c45455f694ce765d77fd982f1e164920b5e77ec
Instruction ID: b532919676aadd75bab01998b209c36901d2e33eaac8f3eb350ba4bc184f2408
Opcode Fuzzy Hash: e8839e0e3ad3752fbee51db35c45455f694ce765d77fd982f1e164920b5e77ec
Instruction Fuzzy Hash: 84B1E16271AA9182EB00DF15E94437AB3A5FB44FA4F868635DA6D477E4DF3CE040DB20

Function 00007FF7A657E540 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
Instruction ID: 99040c8810181b2fb1be42c61fe54535665ff1849dd1a581c685e3b22e859c79
Opcode Fuzzy Hash: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
Instruction Fuzzy Hash: 4891B611E2AF8A89E707E736AC41176D2567F66FC1B96D731D80F32671EF2C71828920

Function 00007FF7A657B180 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a85621e283accacced8221b17d10a49faa8c26bd841f71e3662727ff5320864
Instruction ID: 972b378c5a4ee340cdc382d94d7ff433717fe3d451ae3c9f38e50e84e88f53c1
Opcode Fuzzy Hash: 2a85621e283accacced8221b17d10a49faa8c26bd841f71e3662727ff5320864
Instruction Fuzzy Hash: 9291DAA2A07A5586EB14EF05DC4027EB7A2FB40F94F865635CA5E477B4CE3CD581CB10

Function 00007FF7A657BBA0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e7110b9251933381237f45dafbe83c08329d0dfb3fdd3f62539a26e3327acb
Instruction ID: e566433f556ae396d41b47b137a5f764769450232a79f9071520f1c14bcba456
Opcode Fuzzy Hash: 79e7110b9251933381237f45dafbe83c08329d0dfb3fdd3f62539a26e3327acb
Instruction Fuzzy Hash: 8081F6B2B06A5A82EB00DF09D84467AB7A5FB44FA0F864A35DE2D473E4DE3CE541C710

Function 00007FF7A65A1910 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
Instruction ID: dff7d6f8459b21001362357a905d51caffc3e892bccc759933236c360940e663
Opcode Fuzzy Hash: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
Instruction Fuzzy Hash: 2DA17B32E0AA4686E720AF25EC552BEA7A2FB54F84F921131DD4E07774DE3CE044CB60

Function 00007FF7A654A8B0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction ID: e48fc5e21a59f349fc0fed5cb12a4c565a56f30f2b317d233b05a9175dabba68
Opcode Fuzzy Hash: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction Fuzzy Hash: E68139B3B11A4587EB49DF29C8847AA7366EB48F84F958035CB0D47BA8DF38D681C750

Function 00007FF7A65483C4 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction ID: fd65db80e7e6a4eda73732a3eec56d0f9feef43351a90ea28f94f11ee46a08d4
Opcode Fuzzy Hash: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction Fuzzy Hash: EF61D277B12B4147D70C9F28C85966E76A2FBE4F88BA68136CA1D43798DF38D511C780

Function 00007FF7A656A850 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
Instruction ID: ccf5ab01669886e2e50d7ed49b972a259fab919d14b8009d0fc445c0be9cbad4
Opcode Fuzzy Hash: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
Instruction Fuzzy Hash: CE512B36F1774E01E906937A950167AE152AF5ABC4E9EDB32D90E327A0EF3DF081D610

Function 00007FF7A661E240 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction ID: 6b3cd8bb0d3ab30f40346abcaf332a4a3b2a46cce8783f3b3def34740533cc24
Opcode Fuzzy Hash: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction Fuzzy Hash: F5512092E3D17243D73887189412A3FF293EB91B41F81A335E59E46EE1E72DD1419F10

Function 00007FF7A656FB40 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
Instruction ID: 50003d3a770fc24ade97909d1cf8b2b452e509551092dd3c1088a0d7f7001466
Opcode Fuzzy Hash: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
Instruction Fuzzy Hash: 17611526E2AF4549DA06DBB4D45026AD256BF56FC0F598732ED0F33760EF3DA182C210

Function 00007FF7A6620200 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
Instruction ID: 17dd75387c4f05d34cc21c7f0203e9de0ef0a36c5b90eb4b51e1166ce5315e4b
Opcode Fuzzy Hash: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
Instruction Fuzzy Hash: B1511922A066819AD714EF26DC455BAB7A2EF58F84F859135FE4C83761EF38D441C710

Function 00007FF7A6563640 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
Instruction ID: 9f5407292851b0948a83190b6896fda76ebca9def9e6fe60aa067688b8d8fd0b
Opcode Fuzzy Hash: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
Instruction Fuzzy Hash: 50613832A16FC185D716DB24D84197AE29AFF81BC4BD9A331ED4F62260DF3CA192C710

Function 00007FF7A657C800 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096d27cd634f33b2b39273a113a3bfa11cc36e2ee31c477455c3f03cc6ef90c3
Instruction ID: 872b681584520dfe4bc800049f49a94e57f565b4f0307655edcc505e583976cc
Opcode Fuzzy Hash: 096d27cd634f33b2b39273a113a3bfa11cc36e2ee31c477455c3f03cc6ef90c3
Instruction Fuzzy Hash: D761E572B06A5586DB00EF09D8042AAB7A1FB45FE0F8A5635DE6E477A4CF7CE540C710

Function 00007FF7A65FCC30 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c3f70d5fe85c86b58ccce79dd20537651d5941e22fc2a909815bcf02fae0a2
Instruction ID: f3502dc03138b64a2171f1587f1c01ac5ba78bd9f880e1b23250094c4a142c1f
Opcode Fuzzy Hash: 13c3f70d5fe85c86b58ccce79dd20537651d5941e22fc2a909815bcf02fae0a2
Instruction Fuzzy Hash: 39516062B0A50282FF68BF26DC5127FA751AF95FC0F965031DA0E877B5DE2CD8418720

Function 00007FF7A65580D0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28531a6797bb50e98dfc9a6ae1b5f79929bc6386de9e3fae4bdb5bd213b841f6
Instruction ID: d1e0dd681ab70f5658403a6796fb3b43839aeff08e80e6b94d87a4b3b86ac87a
Opcode Fuzzy Hash: 28531a6797bb50e98dfc9a6ae1b5f79929bc6386de9e3fae4bdb5bd213b841f6
Instruction Fuzzy Hash: ED414B61E1AF1941ED09A776AD45136D1529F5ABD0EA9D732E82E263F4EF2C70804610

Function 00007FF7A6566610 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
Instruction ID: 54eb58929066b02a14a9449ee57dad6eb8ae32e719f57b812479ed36ed21256f
Opcode Fuzzy Hash: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
Instruction Fuzzy Hash: 1141A26AB15A8A86EE00DF06E8441AAA372FB54FC0FCA6032DE1E57725DF3CE551C711

Function 00007FF7A6624450 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3a55e49a23a19c6e99d4e2879a1303fdaddfc18d9bca4d098764dac0d00ba1
Instruction ID: 3939146c066d2708cae77eb685671c74a3299766069b022b63f237a6a66ff3e9
Opcode Fuzzy Hash: 8c3a55e49a23a19c6e99d4e2879a1303fdaddfc18d9bca4d098764dac0d00ba1
Instruction Fuzzy Hash: 9531B562F0A10246EB14BB26DC4017B9653AB84FC4FD66434ED1E577F6DE2CE8418760

Function 00007FF7A6602AC0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
Instruction ID: b0d180a4e02b48d50b4012c490965260bd150a99ccf79caacb5254b452b16a6c
Opcode Fuzzy Hash: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
Instruction Fuzzy Hash: 56418B32B04BA489E715CBB5E8406EE77B5FB58748F65812AEE4C97A18DF34C592C700

Function 00007FF7A6571470 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
Instruction ID: 2d18c336702280df6960984defabcfa4f57c3c7b3227d67a515452a490c1dbc8
Opcode Fuzzy Hash: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
Instruction Fuzzy Hash: 5321FB26F2814202EBB4AB39F69567F5361EB85B80F892030DE0D02E65ED18D6818E10

Function 00007FF7A6627A90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221cf158b9a98e13d59b20ce11f85cd83d7d464265b0073024cff9ca69588a45
Instruction ID: d59aa3f96f7289a41371d21b44e3914ddd2fe2bdd28ccbb9713634dada7d3030
Opcode Fuzzy Hash: 221cf158b9a98e13d59b20ce11f85cd83d7d464265b0073024cff9ca69588a45
Instruction Fuzzy Hash: 60110463B0A24285E715BF22EC845BAE712AF85FD1F959471DF0C0BBA6CE3CC4818310

Function 00007FF7A65CF9C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd73dc21319d55d5cd51ae119c2cd724b2eedb2a74dd1c6a194b4a6c8a9077be
Instruction ID: 0933f0dac278ee2a52d16ada3d4c768abe0283d42e48c65d65bb5d725d1cd999
Opcode Fuzzy Hash: fd73dc21319d55d5cd51ae119c2cd724b2eedb2a74dd1c6a194b4a6c8a9077be
Instruction Fuzzy Hash: E6F0D004E0B01646F90CBA229C5A2FFD2620F97F80FA56874EA1E1F7A7DD1C94525364

Function 00007FF7A65CFAA0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb870c6da8980ab108728cb2512e603d96d3e36e6137f51798ee13c9ceab7c4e
Instruction ID: 904738b1618e152ebcb9cd6f98d110127c6fd433be520e548bec8daf8e1c579f
Opcode Fuzzy Hash: bb870c6da8980ab108728cb2512e603d96d3e36e6137f51798ee13c9ceab7c4e
Instruction Fuzzy Hash: 3AE04804E1710645E91CFA619C653FBD1621F96F40FA51430EA1E1B7B7DD1C94015330

Function 00007FF7A65B9FC0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334c71db2373eca22ed1fe030cc8b17200d83776fff50a61cfaf6ec7c3de23df
Instruction ID: edcb83aaf1748f4efa498414e88e582dc532ca3db9335880106cb63c1be1fe7d
Opcode Fuzzy Hash: 334c71db2373eca22ed1fe030cc8b17200d83776fff50a61cfaf6ec7c3de23df
Instruction Fuzzy Hash: 38D05E44E2601A40EC087A238C190B7C2611F56FC0DE52070EC0E2BB669D0C94034324

Function 00007FF7A65A90A0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 136COMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A65A9193
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A65A91B0

Strings

roc, xrefs: 00007FF7A65A9265
islamic, xrefs: 00007FF7A65A9231
dangi, xrefs: 00007FF7A65A91FD
japanese, xrefs: 00007FF7A65A91A6
buddhist, xrefs: 00007FF7A65A91C3
islamic-umalqura, xrefs: 00007FF7A65A924B
hebrew, xrefs: 00007FF7A65A91E0
calendar, xrefs: 00007FF7A65A9102
gregorian, xrefs: 00007FF7A65A9189
persian, xrefs: 00007FF7A65A9217

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: _stricmp
String ID: buddhist$calendar$dangi$gregorian$hebrew$islamic$islamic-umalqura$japanese$persian$roc
API String ID: 2884411883-3649728362
Opcode ID: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
Instruction ID: ca307c4d172753cbb9ad027f9c53be30ef7c5ed636999a6a96a17ad16cad6cd7
Opcode Fuzzy Hash: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
Instruction Fuzzy Hash: 4D514E25A1E65351EA10AB16EC183B7E395EFA4F84FC26031DC0E466B5EF6DE405C760

Function 00007FF7A654C1A0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A6552967,?,?,?,?,00007FF7A654B845), ref: 00007FF7A654C1DE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A6552967,?,?,?,?,00007FF7A654B845), ref: 00007FF7A654C206
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A6552967,?,?,?,?,00007FF7A654B845), ref: 00007FF7A654C226
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A6552967,?,?,?,?,00007FF7A654B845), ref: 00007FF7A654C246
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A6552967,?,?,?,?,00007FF7A654B845), ref: 00007FF7A654C266
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A6552967,?,?,?,?,00007FF7A654B845), ref: 00007FF7A654C28A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A6552967,?,?,?,?,00007FF7A654B845), ref: 00007FF7A654C2AE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A6552967,?,?,?,?,00007FF7A654B845), ref: 00007FF7A654C2D2

Strings

GCHeapHardLimitLOH, xrefs: 00007FF7A654C23C
GCHeapHardLimit, xrefs: 00007FF7A654C1D7
GCHeapHardLimitPOHPercent, xrefs: 00007FF7A654C2C8
GCHeapHardLimitPOH, xrefs: 00007FF7A654C25C
GCHeapHardLimitLOHPercent, xrefs: 00007FF7A654C2A4
GCHeapHardLimitSOHPercent, xrefs: 00007FF7A654C280
GCHeapHardLimitSOH, xrefs: 00007FF7A654C21C
GCHeapHardLimitPercent, xrefs: 00007FF7A654C1FC

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: strcmp
String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
API String ID: 1004003707-945519297
Opcode ID: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
Instruction ID: 63045ab9d755121d54774fb4ef4233a1feb2ddfc68ffc609ff8354a6898444b8
Opcode Fuzzy Hash: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
Instruction Fuzzy Hash: 6A415E20A0EA4244EA40BB16DD041B7D352AF96FF4FDA23B1D97D576F5EF1CE8028660

Function 00007FF7A654B3B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF7A6545007), ref: 00007FF7A654B3D3
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF7A6545007), ref: 00007FF7A654B3E8
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7A6545007), ref: 00007FF7A654B3F5
InitializeContext.KERNEL32(?,?,?,?,?,00007FF7A6545007), ref: 00007FF7A654B433
GetLastError.KERNEL32(?,?,?,?,?,00007FF7A6545007), ref: 00007FF7A654B441
InitializeContext.KERNEL32(?,?,?,?,?,00007FF7A6545007), ref: 00007FF7A654B495

Strings

kernel32.dll, xrefs: 00007FF7A654B3CC
InitializeContext2, xrefs: 00007FF7A654B3DE

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
String ID: InitializeContext2$kernel32.dll
API String ID: 4102459504-3117029998
Opcode ID: bf7d35e48df714c612ab66266faaa2ff6652ce620ea3f11c073d427a00be551f
Instruction ID: 41f7dc40ef1276fc590d58aed59e098ebb980846ab20ef4234d7304cf7ee4d2c
Opcode Fuzzy Hash: bf7d35e48df714c612ab66266faaa2ff6652ce620ea3f11c073d427a00be551f
Instruction Fuzzy Hash: 86317071A0AB4682EA01AB55E844277E3A2EF44FD4F9A1431DD8D42774DF7CE486CB20

Function 00007FF7A6544E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF7A654B731
GetProcAddress.KERNEL32 ref: 00007FF7A654B741
GetLastError.KERNEL32 ref: 00007FF7A654B794
SuspendThread.KERNEL32 ref: 00007FF7A654B7AD
GetThreadContext.KERNEL32 ref: 00007FF7A654B7C8
ResumeThread.KERNEL32 ref: 00007FF7A654B7F2

Strings

QueueUserAPC2, xrefs: 00007FF7A654B73A
kernel32, xrefs: 00007FF7A654B724

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
String ID: QueueUserAPC2$kernel32
API String ID: 3714266957-4022151419
Opcode ID: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
Instruction ID: 7c3d09a8119ea47718f1eaf09c838dcdc5c3cd36dd1052233e35983fca2f219e
Opcode Fuzzy Hash: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
Instruction Fuzzy Hash: 7131A870A0EA4241EA54FB16EC4837BA392EF45FA4FD51230C96D46AF4DF2CE4058720

Function 00007FF7A656BC40 Relevance: 9.2, APIs: 6, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6e69181591d6301f79addf1851dae84baba91a0e20fc1957c0ed45eea2809c
Instruction ID: f5629e700c42fa5f1217057d2c16486a97e8242b634aeab0fc3ed6165c758d8d
Opcode Fuzzy Hash: fe6e69181591d6301f79addf1851dae84baba91a0e20fc1957c0ed45eea2809c
Instruction Fuzzy Hash: 6F71AFA5A0BA4242EB10BB11DD4027BE3A6BF54F94F9E5035DA1D07AB9CF3CE460C761

Function 00007FF7A6580FE0 Relevance: 9.2, APIs: 6, Instructions: 151COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF7A6581090
DebugBreak.KERNEL32 ref: 00007FF7A65810CD
DebugBreak.KERNEL32 ref: 00007FF7A65810E8
DebugBreak.KERNEL32 ref: 00007FF7A658111D
DebugBreak.KERNEL32 ref: 00007FF7A6581138
DebugBreak.KERNEL32 ref: 00007FF7A65811A9

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
Instruction ID: cbdc61f96d63751568db3c7718948cb83de84525eae2d5debe3e039cf05828bd
Opcode Fuzzy Hash: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
Instruction Fuzzy Hash: A551A522E0AA4396EA25BB51CC441BEE3A1FB84F95FC74135CA1D037A1DE3CE491D3A0

Function 00007FF7A6562770 Relevance: 9.1, APIs: 6, Instructions: 132threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7A65627B7
LeaveCriticalSection.KERNEL32 ref: 00007FF7A65627CF
SwitchToThread.KERNEL32 ref: 00007FF7A656288C
SwitchToThread.KERNEL32 ref: 00007FF7A6562895
SwitchToThread.KERNEL32 ref: 00007FF7A65628BF
LeaveCriticalSection.KERNEL32 ref: 00007FF7A6562963

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CriticalSectionSwitchThread$Leave$Enter
String ID:
API String ID: 1765607624-0
Opcode ID: faad790ec28286bda2ef36a915e46beff94c7fcad6aaa131053e1d9cfa2025f0
Instruction ID: 1ede4e05a6ffce4269a8dd875254afb74e6745cfc13afa0721968c79d75e5812
Opcode Fuzzy Hash: faad790ec28286bda2ef36a915e46beff94c7fcad6aaa131053e1d9cfa2025f0
Instruction Fuzzy Hash: 60515D34D0BA0386F760BB29EC45577E292AF41F54FDA1235E52D826F2CE2CA841DA71

Function 00007FF7A6581DE0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF7A6581FB1,?,?,000002AAAB6F1490,00007FF7A65814E2), ref: 00007FF7A6581E89
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF7A6581FB1,?,?,000002AAAB6F1490,00007FF7A65814E2), ref: 00007FF7A6581EA1
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF7A6581FB1,?,?,000002AAAB6F1490,00007FF7A65814E2), ref: 00007FF7A6581EB9
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF7A6581FB1,?,?,000002AAAB6F1490,00007FF7A65814E2), ref: 00007FF7A6581ED7
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF7A6581FB1,?,?,000002AAAB6F1490,00007FF7A65814E2), ref: 00007FF7A6581EFC
DebugBreak.KERNEL32 ref: 00007FF7A6581F30

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
Instruction ID: 3c08b9531eba47a5800e99de93078bc39ebdb7ebf86b8d8c50a86310e61d9480
Opcode Fuzzy Hash: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
Instruction Fuzzy Hash: 55419622A0A69342E7617B61D80017FEB91AF45F95F9A0034EE4D16EA6CF3CD440C7B1

Function 00007FF7A6545260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A654B6A0: GetCurrentThreadId.KERNEL32 ref: 00007FF7A654B6A4

GetCurrentProcess.KERNEL32 ref: 00007FF7A65452A6
GetCurrentThread.KERNEL32 ref: 00007FF7A65452AE
DuplicateHandle.KERNEL32 ref: 00007FF7A65452D2

Part of subcall function 00007FF7A654CA20: VirtualQuery.KERNEL32 ref: 00007FF7A654CA52

RaiseFailFastException.KERNEL32 ref: 00007FF7A6545300

Strings

, xrefs: 00007FF7A6545314

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
String ID:
API String ID: 510365852-3916222277
Opcode ID: 9ced71184ac91c8616e97de7930c93111042d63eeb25a1540481694c845d8b19
Instruction ID: 8f97b219546f674847b3ebbb0b4412f53edb3d4494ce49c8a782384cd1535d8a
Opcode Fuzzy Hash: 9ced71184ac91c8616e97de7930c93111042d63eeb25a1540481694c845d8b19
Instruction Fuzzy Hash: D6118E72609B818AD764EF25F84419BB361FB45BB4F544334E6BD0B6EACF78D0428700

Function 00007FF7A6576730 Relevance: 7.6, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7A65767DE
LeaveCriticalSection.KERNEL32 ref: 00007FF7A6576824
EnterCriticalSection.KERNEL32 ref: 00007FF7A65768F6
LeaveCriticalSection.KERNEL32 ref: 00007FF7A6576917
EnterCriticalSection.KERNEL32 ref: 00007FF7A657695F
LeaveCriticalSection.KERNEL32 ref: 00007FF7A6576980

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 30c2a865ca8bebd16377ec9e55b12350cbbdee7e357ec5e7fec82702041c0912
Instruction ID: 92663a6ea4aa3ba0321492b855157cca9ecac4b65987315f055d716fd5e12ec9
Opcode Fuzzy Hash: 30c2a865ca8bebd16377ec9e55b12350cbbdee7e357ec5e7fec82702041c0912
Instruction Fuzzy Hash: 61615821E0AF4284EB50AF15EC843B7E3A1AF85F90F9A5436D98D43675DF3CE5818B60

Function 00007FF7A6571A50 Relevance: 7.6, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7A6571AEA
LeaveCriticalSection.KERNEL32 ref: 00007FF7A6571B2F

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7f292bd782e5db76287a58f2738b6682abde35b80ac547e9518716b401c7d407
Instruction ID: 217460e706c10f8aa6ba76e285e6460c036692801db3a305403fdeb2839b4307
Opcode Fuzzy Hash: 7f292bd782e5db76287a58f2738b6682abde35b80ac547e9518716b401c7d407
Instruction Fuzzy Hash: 48512A31D0AF4281EB60AF14EC403B6F3A5EB84F80F9A5436D98D43675EE3CE5558B60

Function 00007FF7A6543540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32 ref: 00007FF7A65435E0
RaiseFailFastException.KERNEL32 ref: 00007FF7A65436E9
RaiseFailFastException.KERNEL32 ref: 00007FF7A6543726

Strings

Process is terminating due to StackOverflowException., xrefs: 00007FF7A65435CA

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: Process is terminating due to StackOverflowException.
API String ID: 2546344036-2200901744
Opcode ID: 8c7f27cb811299753a952a27045d38bbe572bc9dae65ba32a05ed8a71e85e72f
Instruction ID: db2eb4268bcab843e3594b1424c75aefb704bdd920f3e82ffaab25edd35fb544
Opcode Fuzzy Hash: 8c7f27cb811299753a952a27045d38bbe572bc9dae65ba32a05ed8a71e85e72f
Instruction Fuzzy Hash: 1D51B431A1AA4280EF54AB16DC4437AA392EF48F84FE65172DA5E477B0DF6CE4558310

Function 00007FF7A6580570 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,00007FF7A655AF49), ref: 00007FF7A65805EB
SwitchToThread.KERNEL32(?,?,?,00007FF7A655AF49), ref: 00007FF7A6580692
SwitchToThread.KERNEL32(?,?,?,00007FF7A655AF49), ref: 00007FF7A65806A8

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
Instruction ID: 79046e828966daaf4afa42954c47bc22b4ca4683f042e81b2ef9171aa86c432c
Opcode Fuzzy Hash: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
Instruction Fuzzy Hash: A341B732B0A74585FB606E26D84063BB2D0EB41F95F959139C66E46FA5DE3CE480A720

Function 00007FF7A6580E70 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,00000000,?,00007FF7A655E7B5,?,?,00000001,00007FF7A656CA48), ref: 00007FF7A6580F49
DebugBreak.KERNEL32(?,00000000,?,00007FF7A655E7B5,?,?,00000001,00007FF7A656CA48), ref: 00007FF7A6580F66
DebugBreak.KERNEL32(?,00000000,?,00007FF7A655E7B5,?,?,00000001,00007FF7A656CA48), ref: 00007FF7A6580F81
DebugBreak.KERNEL32(?,00000000,?,00007FF7A655E7B5,?,?,00000001,00007FF7A656CA48), ref: 00007FF7A6580F9A

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
Instruction ID: 3d352d5e83a78b7bd96fc03001117aafade5b0f2146003ba7cecfa9a76a9a7d6
Opcode Fuzzy Hash: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
Instruction Fuzzy Hash: 3F41F421A0B65282EA61AB10D84037BE7E0EF14F59F9B4034DEAC07BA5CF7CE481D360

Function 00007FF7A656F280 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,00000000,?,00007FF7A656B16E,?,?,-8000000000000000,00007FF7A657E9AE,?,?,?,00007FF7A65588C3), ref: 00007FF7A656F339
DebugBreak.KERNEL32(?,?,00000000,?,00007FF7A656B16E,?,?,-8000000000000000,00007FF7A657E9AE,?,?,?,00007FF7A65588C3), ref: 00007FF7A656F356
DebugBreak.KERNEL32(?,?,00000000,?,00007FF7A656B16E,?,?,-8000000000000000,00007FF7A657E9AE,?,?,?,00007FF7A65588C3), ref: 00007FF7A656F376
DebugBreak.KERNEL32(?,?,00000000,?,00007FF7A656B16E,?,?,-8000000000000000,00007FF7A657E9AE,?,?,?,00007FF7A65588C3), ref: 00007FF7A656F399

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: fadf0de926549372bb38a711b3a869a02a71d20e7acaacbe5fadbf81d570d035
Instruction ID: 19efddb8d9ad1c6790bcbcb9d4371bd25cf1d4441f627f4e9697445fdfa189c7
Opcode Fuzzy Hash: fadf0de926549372bb38a711b3a869a02a71d20e7acaacbe5fadbf81d570d035
Instruction Fuzzy Hash: E831E226A0A78282EA60BF95E80027AF2A5FF44F84F9E0434DA4D036A5CF3CD440C372

Function 00007FF7A654B520 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A65453F1), ref: 00007FF7A654B554
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A65453F1), ref: 00007FF7A654B55E
CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A65453F1), ref: 00007FF7A654B57D
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A65453F1), ref: 00007FF7A654B591

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: ErrorLastMultipleWait$HandlesObjects
String ID:
API String ID: 2817213684-0
Opcode ID: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
Instruction ID: 176345fd506d20bcfd21d99a21ea99d90e84ea9c176fff28cd5cc1f70eff2a17
Opcode Fuzzy Hash: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
Instruction Fuzzy Hash: 0C118271A1D65586D7245B2AF80516BF2A2FB88F94FA50139FA8E43BB8DF3CD400CB50

Function 00007FF7A65AC658 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A65AB963), ref: 00007FF7A65AC6A8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A65AB963), ref: 00007FF7A65AC6E9

Strings

csm, xrefs: 00007FF7A65AC6D6

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
Instruction ID: b2d8f07aa734fae5ffbc3ec3ac215994c3022b439c377dff341e2bc7aa810869
Opcode Fuzzy Hash: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
Instruction Fuzzy Hash: 29112E32619B8182EB21DF19F84426AB7E5FB98F84F595231DE8D0B768DF3CD5518B00

Function 00007FF7A654D050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF7A654C313,?,?,?,00007FF7A6552967,?,?,?,?,00007FF7A654B845), ref: 00007FF7A654D08B
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF7A654C313,?,?,?,00007FF7A6552967,?,?,?,?,00007FF7A654B845), ref: 00007FF7A654D0C8

Strings

HeapVerify, xrefs: 00007FF7A654D05F

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: _stricmpstrtoull
String ID: HeapVerify
API String ID: 4031153986-2674988305
Opcode ID: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
Instruction ID: 6dae08cb7e79a875baff636cd11752a2ab229a16eb1c84e6d8bafa34e2c57177
Opcode Fuzzy Hash: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
Instruction Fuzzy Hash: D7019671A0A641D9DB10BF21ED8407AF3A1FB68F80F965171D64D03729DF3CD445CA50

Function 00007FF7A6573260 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF7A655D6BF,01FFF001,00000000,00000000,00007FF7A656BD4F), ref: 00007FF7A65732ED
LeaveCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF7A655D6BF,01FFF001,00000000,00000000,00007FF7A656BD4F), ref: 00007FF7A657333E
EnterCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF7A655D6BF,01FFF001,00000000,00000000,00007FF7A656BD4F), ref: 00007FF7A6573374
LeaveCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF7A655D6BF,01FFF001,00000000,00000000,00007FF7A656BD4F), ref: 00007FF7A657338F

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: e743cea26d5aa4e05b231aa46b4469101279d7ee653fa58b53f11e4b04d877f5
Instruction ID: 34d282ea7a690154e69ccafb465205a1d87f21155e00bc2e2ffa752f97adbbb1
Opcode Fuzzy Hash: e743cea26d5aa4e05b231aa46b4469101279d7ee653fa58b53f11e4b04d877f5
Instruction Fuzzy Hash: FF41AF31A0DA4281EB20AF11EC4437AF391AB44FA4F954531E95D57AB5CF3CE644CB60

Function 00007FF7A6564020 Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7A656419F,?,?,?,00007FF7A6571E7B), ref: 00007FF7A656406A
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7A656419F,?,?,?,00007FF7A6571E7B), ref: 00007FF7A65640AC
EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7A656419F,?,?,?,00007FF7A6571E7B), ref: 00007FF7A65640D7
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7A656419F,?,?,?,00007FF7A6571E7B), ref: 00007FF7A65640F8

Memory Dump Source

Source File: 00000000.00000002.1503019707.00007FF7A6541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A6540000, based on PE: true

Associated: 00000000.00000002.1503005487.00007FF7A6540000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503076573.00007FF7A6629000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503102507.00007FF7A665A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503139739.00007FF7A66CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1503184858.00007FF7A66CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a6540000_Payment-Order #24560274 for 8,380 USD.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
Instruction ID: 92fed243a530e9f6eb796e387065925f26f9dcafa0774b1ac623dd5640c62d4d
Opcode Fuzzy Hash: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
Instruction Fuzzy Hash: 34216D21E0AE0281EB10AF14EC843B6A351EF10FA4FDA9236D42D466F5DF2CE595C761

Analysis Process: MSBuild.exePID: 6224, Parent PID: 5484COMMON

Executed Functions

Function 03155280 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b16f4821c9fc042e89594736f13fcc12a98ab01150187efeecb8ec4ba3741f8
Instruction ID: ab28dc3ece853df23a61697b1ebb8535a7d2fa2357da7866f5567a9234717b13
Opcode Fuzzy Hash: 7b16f4821c9fc042e89594736f13fcc12a98ab01150187efeecb8ec4ba3741f8
Instruction Fuzzy Hash: F2B13F70E10209CFDF14CFA9D88579DBBF3AF89315F188529E826EB254EB749845CB81

Function 03155B50 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023f8da28182f5fc035ec262901dfc73387c33481417cbecec51d070d09e4060
Instruction ID: 7113733b9cd24b4f7bfa34ae2cd01ac25ed3d7fb81ae68dcdae95df19b37c0e0
Opcode Fuzzy Hash: 023f8da28182f5fc035ec262901dfc73387c33481417cbecec51d070d09e4060
Instruction Fuzzy Hash: D7B16F71E00209CFDB14CFA9D88579EFBF3AF49710F188529E826EB254EB759845CB81

Function 03152CB1 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

|, xrefs: 03152D0F

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: bdd8baffbb113b107842478a07ca0de06ce7dde5a97279c894316f647afa68ff
Instruction ID: 3fe70d96568c0864657e146a590c2e71b02ef2c6a8cab634bd39be0da88e0218
Opcode Fuzzy Hash: bdd8baffbb113b107842478a07ca0de06ce7dde5a97279c894316f647afa68ff
Instruction Fuzzy Hash: 28214D75B00214CFDB64DFB89854BADB7F1AF4C600F144469E95AEB360DB759D018B90

Function 03156B6B Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7550cd97d59e50c559c66a148800a9a4be3815e1a2c6853cac2c6b90602df2
Instruction ID: 931ea6a547af77b786a8ab4b02d3c7bc3ad92f553a42fa8de0b22ee0031f8add
Opcode Fuzzy Hash: fd7550cd97d59e50c559c66a148800a9a4be3815e1a2c6853cac2c6b90602df2
Instruction Fuzzy Hash: EC519E31700240DFD715DB79D858B99BBF2AF8A710F1981AAE411DB3A2DB759C05CB90

Function 03155275 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167578993ee0bc4eb340092faea015fc8521bed5a668c5d5d70bc391d3278580
Instruction ID: 9b0462849569b7418cf8e29943ff03a055d4f3c095a64ac9892bb7ab2f4e70fa
Opcode Fuzzy Hash: 167578993ee0bc4eb340092faea015fc8521bed5a668c5d5d70bc391d3278580
Instruction Fuzzy Hash: 66B13D70E10209DFDF10CFA9D8857DEBBF2AF49315F188129E826EB254EB759845CB81

Function 03155B44 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19dd72493701d30aea1a5251d4162d486342b6662f79f644e84fff22d36259c6
Instruction ID: fd92083050e1421e84906be3002f9d802f365e222980604d149b2d1e9305b49e
Opcode Fuzzy Hash: 19dd72493701d30aea1a5251d4162d486342b6662f79f644e84fff22d36259c6
Instruction Fuzzy Hash: 01B16D71E00209CFDB10CFA9D8857DEFBF2AF49714F188529E826EB254EB759845CB81

Function 031508D0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc67fdee076a9995b9ffde22b42404c78c5379d802e073b356ce9eac6ef54a4
Instruction ID: edf93b3a5d2af4c37f64cb2d58db119478d5409d93866d38f4ca9a252c7b33f8
Opcode Fuzzy Hash: 3cc67fdee076a9995b9ffde22b42404c78c5379d802e073b356ce9eac6ef54a4
Instruction Fuzzy Hash: 3361AC307002058FDB25EF78E858A6E7BB2FFC9710B114969D416EB3A9DF349C049B91

Function 031558C8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1194be54947dd8041de8dac4264bb4de6fd1b345c849970f61ff9d1d1ca85de8
Instruction ID: 4f8efd8200150f10fdf4e7242b01b8c11227eb87dc9b276b627ae695c7567750
Opcode Fuzzy Hash: 1194be54947dd8041de8dac4264bb4de6fd1b345c849970f61ff9d1d1ca85de8
Instruction Fuzzy Hash: 78715070E00209DFDF14CFA9C88579EFBF2AF89310F188129E825A7254EB749845CB91

Function 031558BC Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf64e71ad0c904a23079ff7fda73dc17c7f3c4f5f5c267ba5ce2d0bfc5f171b
Instruction ID: e92880a7bde42dbe26e1480973c5c6a28ffb667267a3953babdd4f8c7bb707ab
Opcode Fuzzy Hash: baf64e71ad0c904a23079ff7fda73dc17c7f3c4f5f5c267ba5ce2d0bfc5f171b
Instruction Fuzzy Hash: 13715D71E00209DFDF14CFA9C8857DEFBF2AF89710F188129E826AB254E7759845CB91

Function 03152A29 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d02b7b72efce888e675d66dc589dc2f724c6eedd2fe2cabe8224d30437c061
Instruction ID: 98b3ec7792a7c8bd7f085f54485acb6431b2d40db6dad90b44bf9b60aa07b061
Opcode Fuzzy Hash: 57d02b7b72efce888e675d66dc589dc2f724c6eedd2fe2cabe8224d30437c061
Instruction Fuzzy Hash: F5512271340214DBEB58EB68E81876E77AFFB8C641F20846DD40AD77A4CE799C019BA1

Function 03152A38 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8193a551347cab34e9edce1b54181b962dabd2dcc292b469b1e6de8840f77c2
Instruction ID: 3526672dc927a8f4e8933eb9c06d5cd270e2b8e91caf90b82624190da5d4a9b6
Opcode Fuzzy Hash: d8193a551347cab34e9edce1b54181b962dabd2dcc292b469b1e6de8840f77c2
Instruction Fuzzy Hash: 0B512071340214DBEB58EB68E81872E77AFEBCC641F20802DE40A977A4CE759C019BA5

Function 03151A08 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0141b61cc1120a8b6a6bb8fa455c78bfe008269689cdad6a18bff364d4ec3e8
Instruction ID: 70ee8900ff693f55c5d92f9eb063c72a3b6d55e9c6b63c926a6a0183293a02b9
Opcode Fuzzy Hash: d0141b61cc1120a8b6a6bb8fa455c78bfe008269689cdad6a18bff364d4ec3e8
Instruction Fuzzy Hash: 66517B707003059FE714EFB8D45876A7BA2FB99710F20456CD816AF3A5DF799C068B90

Function 03156710 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e4f3748ca336067792581152149278e39694d7771a3956cc4cdf3e27a44939
Instruction ID: 1643a8155f98dfe13f0ad8d2b422aba2d81545a74c019d1e17a38e235da845e7
Opcode Fuzzy Hash: d7e4f3748ca336067792581152149278e39694d7771a3956cc4cdf3e27a44939
Instruction Fuzzy Hash: 48516971E00208DFDB04DFA8C990BDDBBF6BF88300F14806AE815AB255DB759D09CB90

Function 03156F08 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f42d5cc04b366375a9f8bb6e570e15adf47e37190de965ccc787eaecbc2a3f
Instruction ID: ecb4309a73a292717cc4f6e24d49032762fdbad7595e5f5cfb8dcf8fa5dfdfb2
Opcode Fuzzy Hash: 30f42d5cc04b366375a9f8bb6e570e15adf47e37190de965ccc787eaecbc2a3f
Instruction Fuzzy Hash: 99515931B00204DFDB14DB69D859B6DBBF2AF89710F158169E811EB3A1CB71DC04CB90

Function 03152D88 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4b6b04c555173ac9f7b644b80b77f75be443ff1bd5ed6fa66a026c30538f6e
Instruction ID: 2cbcbee85302febffbc31a58a543ceca86ee5fd0b7dd9a7780d256e1e6f15d11
Opcode Fuzzy Hash: fd4b6b04c555173ac9f7b644b80b77f75be443ff1bd5ed6fa66a026c30538f6e
Instruction Fuzzy Hash: 5241BF31A043088FDB14EB79D4547AEBBF6EFC9214F14882DD51AAB380DF799C068B95

Function 031576B0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a7198026991a9bc350804be8a96878e47b7f474d3ecc5725aa6bc0464420b9
Instruction ID: 4ba6ca3238afee40dd2909875ba35e848ca5d20a34da1dce4da84d47bcaa1ee1
Opcode Fuzzy Hash: 78a7198026991a9bc350804be8a96878e47b7f474d3ecc5725aa6bc0464420b9
Instruction Fuzzy Hash: 0641C171A04345CFD700DF69E88869AFFF5FF49310F1981AAD818EB252E735A944CBA1

Function 03156794 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4013f8dfd50a3f54d15d1e642b57a0536d04b68606af449b15a4becfb8da9530
Instruction ID: 0dbe1652b8e92d16919ca532c80aa0976d6825c8560873975e867bc3de58ae82
Opcode Fuzzy Hash: 4013f8dfd50a3f54d15d1e642b57a0536d04b68606af449b15a4becfb8da9530
Instruction Fuzzy Hash: E641F2B5D00248EFCB14CFA9C984BDDBBF2AF48300F14802AE815AB255CB75A945CF90

Function 031563EC Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d9d97448202cd8a64fd5aa48219614d37671d52c1c0ceca6ae4efa9ffd2f97
Instruction ID: d1feca68b2c2eb57aa244387b2d242a47f8b46fa765ca7ccbe56789921d331c0
Opcode Fuzzy Hash: 20d9d97448202cd8a64fd5aa48219614d37671d52c1c0ceca6ae4efa9ffd2f97
Instruction Fuzzy Hash: 3D4100B5D00258EFCF14DFA9C984BDDBBF6BF48300F14802AE815AB255DB75A949CB90

Function 031508BF Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3d8e69746e7c6f6889cecde041a3fc45928ed2b2ae2c29d4c577accec43585
Instruction ID: fe3455be7e29c9db5eac72fc849ddc1cfb02ab88cd1fb896a0c98f42bb3e279b
Opcode Fuzzy Hash: 7e3d8e69746e7c6f6889cecde041a3fc45928ed2b2ae2c29d4c577accec43585
Instruction Fuzzy Hash: 4E316C717003058FDB24EF78F89C5AE7BA2FB8E3403014528D826AB6A9DF349D058F81

Function 03153795 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b1fa8f4bd1c207889fdd01f6c2c4ede3442a03913bfaecee1670a6a7957e5b
Instruction ID: c2bb10473dec1d61e4098466f67a86dad656d9f459a7db58a77deb10ab9bb216
Opcode Fuzzy Hash: a1b1fa8f4bd1c207889fdd01f6c2c4ede3442a03913bfaecee1670a6a7957e5b
Instruction Fuzzy Hash: 1741F0B5D00309DFDB14CFA9C884BDEBBF5BF48310F148529E819AB254DB75A945CB90

Function 031537A0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee15cc0cc1a569acb007f1cb45f37846940d0cb7b182acda3aeb82db5d1ad7
Instruction ID: 80f1d321c4e201fda99b82abc9c560dbd0291a9ad2d49c998c22693f41fbf810
Opcode Fuzzy Hash: 72ee15cc0cc1a569acb007f1cb45f37846940d0cb7b182acda3aeb82db5d1ad7
Instruction Fuzzy Hash: 6541EEB5D0034DDFDB14CFA9C884BDEBBB5BF48310F148429E829AB250DB75A945CB90

Function 03150A69 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712cb20c82140ce7280d4edc498e49bb2febd20ea9a46b571475c7a1b3a19f7c
Instruction ID: 96cd8c8ccce84dc402da96a07616a074400c8162e9c76574ea88108deb63a476
Opcode Fuzzy Hash: 712cb20c82140ce7280d4edc498e49bb2febd20ea9a46b571475c7a1b3a19f7c
Instruction Fuzzy Hash: 2131AC347002058FDB44DB69D894B6E7BF2BFC8B10F2584A9E505EF3A5CA719C009B90

Function 03156921 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b8f16d0caf6a3fb4905e7829af566d878e8612fd4ce9b3532184674a0b694f
Instruction ID: 9e505f5b4eeb3347998007f01e01aa3945e1c7810e8bb3b5076f3f4b58e73c91
Opcode Fuzzy Hash: 61b8f16d0caf6a3fb4905e7829af566d878e8612fd4ce9b3532184674a0b694f
Instruction Fuzzy Hash: 4C318431B00219CFDB19EB74D4646AEB7B2EB8C600F54906CE912AB3A4DF359C41CB91

Function 03151000 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a19359368e67a78d9378eb19493b5f8443bb1f476aded4f0790a41e51279f9d
Instruction ID: 092d39bded5c6b135d57af39aaa7c772ce7bbc5b71a3e7c613a9ebf1b0f4cde9
Opcode Fuzzy Hash: 4a19359368e67a78d9378eb19493b5f8443bb1f476aded4f0790a41e51279f9d
Instruction Fuzzy Hash: 1D218371B402059FDB54EBF998543AEBAEAFFCC260B14843DD50BE7354DE34890147A1

Function 03152098 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a6d468db9e9856123a0271b465131b0ac5be58ba5c803fad3d6fe7bb56064f
Instruction ID: 5fdde1d563b758f443c632331cc5a2e7a85d870d2d3fd83de36a34d0f723116a
Opcode Fuzzy Hash: 72a6d468db9e9856123a0271b465131b0ac5be58ba5c803fad3d6fe7bb56064f
Instruction Fuzzy Hash: 62212131F00218DFDB18DBA4D8547EEBBB6FF8C210F144429E912A7284DB359D46CB65

Function 0151D224 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640612196.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_151d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b83f6c138105ebeafa6886f613dc2fe4de84d80a421818e66def3a8f96c7415
Instruction ID: 92daddd3cbfa3998a2681873e2bd9d50f3d16964819a7fb3c8c58ca46fbae1c9
Opcode Fuzzy Hash: 0b83f6c138105ebeafa6886f613dc2fe4de84d80a421818e66def3a8f96c7415
Instruction Fuzzy Hash: 57210672504240DFEB06DF94D9C4B5ABBB5FB88324F24C569E9250E28AC33AD416CBA1

Function 03150EE9 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86b744463e16adfe38136f457109393a26a0f73996f5936bcb36717edb37dc1
Instruction ID: 55faa6f7a6b02e496b644991a3eb162a19e0bea272c7f580d3b5299767ad5e9b
Opcode Fuzzy Hash: c86b744463e16adfe38136f457109393a26a0f73996f5936bcb36717edb37dc1
Instruction Fuzzy Hash: 3A316170A00309DFDB01EFB8E85469DBBB6FF89300F1085A9D416AB254DF35AE45CB91

Function 03151010 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c058c5cef08ecbc6692611d18711b31cd7ea64d4df145a4db45c7700f426c3f7
Instruction ID: e1cfb9f9bd644e6e33939b8d65d26fc24e90630c0c766d9b20252bd10f894724
Opcode Fuzzy Hash: c058c5cef08ecbc6692611d18711b31cd7ea64d4df145a4db45c7700f426c3f7
Instruction Fuzzy Hash: 2E116D71B402459FDB44EBFA982836EBAEAFFC9220B148429D54BD7344DE348C0557A1

Function 03150EF8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee74e1426cc42baf20fa59516bab6749167b203c21b0e4a6b640ddc474ccdc5
Instruction ID: 945f3d5c4a9c03aae676be4666cbf977a39d1b51152485889b7e5c3e91c9927d
Opcode Fuzzy Hash: 5ee74e1426cc42baf20fa59516bab6749167b203c21b0e4a6b640ddc474ccdc5
Instruction Fuzzy Hash: 8E213D70A00309EFDB01EBB8E8586ADBBB6FF98200F108569E416A7254DF359E45CB91

Function 03151918 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c79fd10e90701506b7bab7c398ef870d4ad3251ef0475195999eae42a06681
Instruction ID: 56ccee891535e005667b29bdadcf189b0c88f3a2a4b4a1ebba4c6d8c3c66d9f7
Opcode Fuzzy Hash: 83c79fd10e90701506b7bab7c398ef870d4ad3251ef0475195999eae42a06681
Instruction Fuzzy Hash: 6A211574B00110DFDB19DF69E448A69B7B2FF9CB1071582A9E816EB371DB35AD05CB40

Function 03157820 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e5a285f2018f6360193327dd9861015f899bf8f75fa17b6aba77661892945d
Instruction ID: c0f4b90c2e54062b17c5c3c32cb2a59f9b1574514147df3ef5ab38629f489f85
Opcode Fuzzy Hash: e4e5a285f2018f6360193327dd9861015f899bf8f75fa17b6aba77661892945d
Instruction Fuzzy Hash: DA11D330740216DFD701DBB8E85835EBBB3FF8C710F28816AD916A72A5DB3A4D528791

Function 0151D21F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640612196.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_151d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dce05a956da371322a9adc0a0d4b4c51a05561a1f56c2dd05ac87206c169886
Instruction ID: 98b4b998e4efd943b35fbf22bcc315785707eaef670ebfe16855b85f8ba96b27
Opcode Fuzzy Hash: 5dce05a956da371322a9adc0a0d4b4c51a05561a1f56c2dd05ac87206c169886
Instruction Fuzzy Hash: 6521DF76504280CFDB06CF44D9C4B5ABF72FB88324F24C6A9D8190F65AC33AD456CBA1

Function 03152D78 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8e69627800c91139615eec12964b807436ad3c1ef0d35ac8620388f9937219
Instruction ID: da2b6535f210a67f36159725a6b4fdaff9fbef4200642b49c67c5cbb6c07c29b
Opcode Fuzzy Hash: 9e8e69627800c91139615eec12964b807436ad3c1ef0d35ac8620388f9937219
Instruction Fuzzy Hash: B101CC323043088FC726AB3898A466E77E3AFCA114709447DE41ACF391DF359C038742

Function 0315099B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5e1abc23ab156dbd23d179c1d092f3a139323ba9fe63624eace6715ee37a9e
Instruction ID: 44c2ee89d005d4fb2d8294ac06aa285aad87f9f06e43ffa4865db8096d1860c5
Opcode Fuzzy Hash: 4c5e1abc23ab156dbd23d179c1d092f3a139323ba9fe63624eace6715ee37a9e
Instruction Fuzzy Hash: 15118E72700B048FDA69EBB9951816E77E6BFCA2103418E6DC427AB694DF34DD048B91

Function 03156668 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f83e6303e572fe38616ef6fee40d34602ce212a817b38458d1138325b40f5ec
Instruction ID: baffdc57f7fe957adea8233e4b2b7c020ce5dd3fa978042a30d89bf466ef96e6
Opcode Fuzzy Hash: 2f83e6303e572fe38616ef6fee40d34602ce212a817b38458d1138325b40f5ec
Instruction Fuzzy Hash: B901C436A00215CBEB24DB68E8046EDB3B6AB89210F491135ED25AB294DF359994CB91

Function 03157848 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0006712955fd4e991b90712a2c0d0f411980237a53d5f3185b0a4fa4af20c5de
Instruction ID: d8afa56b0eae9a5af257127c00f5939f204d504b33a91842ecddba0ead42a523
Opcode Fuzzy Hash: 0006712955fd4e991b90712a2c0d0f411980237a53d5f3185b0a4fa4af20c5de
Instruction Fuzzy Hash: E5019630B40219DFEB05EBB8E41836E7BB6FB8C710F108129A916972D4DF354D4197D1

Function 0315790A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e1bc308bc114fe6dc00db2c04e7b0b7aa6711522b0f3f0d04d4c509d53a185
Instruction ID: 775fe071e760f7713ee299ebbff5aa6fecc8c88fb329d0ece47e709b25e65d52
Opcode Fuzzy Hash: 74e1bc308bc114fe6dc00db2c04e7b0b7aa6711522b0f3f0d04d4c509d53a185
Instruction Fuzzy Hash: 7001A771B00205CFC755EBA498127EEF7A6FB48210F048168E859EB280EB715A0087D5

Function 031579A2 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56209059ee17683aab302b2ca62e453d1f2033de4f31ad477a1da1128b54b720
Instruction ID: 14b3aafd827530e7099cb9495b8ab67cd59946e3cdfc19b56207dbf41c676adc
Opcode Fuzzy Hash: 56209059ee17683aab302b2ca62e453d1f2033de4f31ad477a1da1128b54b720
Instruction Fuzzy Hash: FB1122B58007488FDB20CF9AC485BDEBBF4EB48310F24841AD859A3250C3396644CFA0

Function 03151780 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f24cf980653d5a88a6fdb990f633f04af37edc58b5e2fd6a9da2aad0003e31
Instruction ID: f2504e82bb477a8bcb2bd2ed6a6033cc5f18f45843b3c441bcd740faae82e0c8
Opcode Fuzzy Hash: 67f24cf980653d5a88a6fdb990f633f04af37edc58b5e2fd6a9da2aad0003e31
Instruction Fuzzy Hash: B1018470900209DFEB14EFBDD5546AEBBB6EF89700B014629D852A7244DF359944CBA2

Function 03151959 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b842c6bb226ded60edf139f7999997a45f98286a8125f659e573de06bdce0aab
Instruction ID: 59d329e009bed4aca51a82ff497882098c984d5725d588a348b4698d76d47204
Opcode Fuzzy Hash: b842c6bb226ded60edf139f7999997a45f98286a8125f659e573de06bdce0aab
Instruction Fuzzy Hash: 36013235B00210DFDB18DF29E408A18B7A2FF98B1071981A9EC238F3B1CB32AC048B00

Function 031579A8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ece13db2d71b26c4b1ecb0cfd2edb473bfd21bba5858dd0bddd698cbcaa5c31
Instruction ID: cbe8082575f213d10d607ab86158e4740f09c62d06777e84937335492f4631c3
Opcode Fuzzy Hash: 5ece13db2d71b26c4b1ecb0cfd2edb473bfd21bba5858dd0bddd698cbcaa5c31
Instruction Fuzzy Hash: 8F1112B58007498FDB10CF9AC585BDEFBF4EB49314F248459D459A7240D375A544CFA1

Function 03156441 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4064f7b004390205025f6aba7b057845da9ad234af997711d5c4e35aceeb98
Instruction ID: c75ae05cdcdea4fd46e4dd5ec67384f3fc111e918fae2e3f0515c0728176a649
Opcode Fuzzy Hash: bb4064f7b004390205025f6aba7b057845da9ad234af997711d5c4e35aceeb98
Instruction Fuzzy Hash: C8F0C83AB00114EFCB04D668E440AEF73F6ABCD650B2045A9E805F7350DF665E058BD0

Function 031565E7 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39ae79e682e15a9f963ae9144660a3bde692e4dcb6b38ad6021efb92308529b
Instruction ID: 90e4fec662f57bebcbeb374e37d894293a602cc5c47a854bd259ad1cb7c01eff
Opcode Fuzzy Hash: a39ae79e682e15a9f963ae9144660a3bde692e4dcb6b38ad6021efb92308529b
Instruction Fuzzy Hash: 26F06232B041259BCB10AAB8EC644DF7BB5AFC9710F44056DD506AB760DB2569118BD2

Function 031518A8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2720a335fb36b08affa3451f6232473dfdc8138ad5bea7fd58d7ef6c33aeb5
Instruction ID: d772c6ab963cf7598384f16f1832915269afbf5a0c676647df1d27b2975ffc10
Opcode Fuzzy Hash: fa2720a335fb36b08affa3451f6232473dfdc8138ad5bea7fd58d7ef6c33aeb5
Instruction Fuzzy Hash: BDF0C2757042109FD725DB74D858A693BF6EF8A220B1641E9E402DF3B6CB289C04CB90

Function 03151770 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cebe0d14032fc84de7c0bbe319fcf15148a01308c51120c34c97c1f743bb09
Instruction ID: 94423b7bb9eae08fb715a78cf235aa764e749eb185dc0192f63be5f5a39c5213
Opcode Fuzzy Hash: 59cebe0d14032fc84de7c0bbe319fcf15148a01308c51120c34c97c1f743bb09
Instruction Fuzzy Hash: 2101F430904249DFD721EFACC4941AEBFB5EF85300F00462DD8526B244DF319A48CB91

Function 03151996 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee60011c62080a94b3f21a76429c3145c79e6dcbdfdb9cc5b711c53766f00e39
Instruction ID: 4cae3c6d894a58f2c2e3001396785c52332cc774466e00345c4fe7966e73da18
Opcode Fuzzy Hash: ee60011c62080a94b3f21a76429c3145c79e6dcbdfdb9cc5b711c53766f00e39
Instruction Fuzzy Hash: 5EF05E75B00220DFCB19DF64E518158B762EF9871471942B9EC275F3B5DB36AC45CB40

Function 031518B8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c36f27781d2f8b7b497f10bb7e355e2adce9fb25e729a60628d42b7b9ce9f8a
Instruction ID: 1ce128442d90633d636aa5af5cb475104a1e8873530390a022fe0486dc2c7e55
Opcode Fuzzy Hash: 0c36f27781d2f8b7b497f10bb7e355e2adce9fb25e729a60628d42b7b9ce9f8a
Instruction Fuzzy Hash: 42F08275700114DFD724EF74D458A2937E6AF4A620B1544A8E4029B3B5CF64DC44C790

Function 03151660 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7420080757657ba844feaf438e3d234ab58cc7c43bc6094135f529c056e183d
Instruction ID: 263395e373352241f69af1e0cfabadb2a2627c268e711390987a480acb3c729b
Opcode Fuzzy Hash: a7420080757657ba844feaf438e3d234ab58cc7c43bc6094135f529c056e183d
Instruction Fuzzy Hash: 55E04F71D44309DFCB41EFA8E8813DDFBF0AB48200F0442AA881DD7211E77057118BC1

Function 031519E3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d2c7065f90b0a8abd9f9397502f893ee63907d850988729c98546025a1f3ecc
Instruction ID: 459175fb012266c2fc2faecf479162c65d6ea80c8e45882376335bf1b85bcdb9
Opcode Fuzzy Hash: 3d2c7065f90b0a8abd9f9397502f893ee63907d850988729c98546025a1f3ecc
Instruction Fuzzy Hash: 8DC01232500208CBCB24FBB0E8090DC7725EE45321B144775E93A490E49B7219299740

Function 03151751 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4e2d22ca00fa0b5f8afced3acdb21ffc78943c7b05c388b00332b5dc3496b3
Instruction ID: 936f698852a9479bdff0ade13d0bd5b30777ce10ea493efd7ab15277b49e6438
Opcode Fuzzy Hash: 6f4e2d22ca00fa0b5f8afced3acdb21ffc78943c7b05c388b00332b5dc3496b3
Instruction Fuzzy Hash: 31C0923228E2A54FC31387909C608D97FB0BCC771238E09DA8585DFA97C51CBB299352

Function 03151297 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3640876498.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3150000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94105be634c4c39a67fe688ed45810982f6bbb2f03047b3f8e74219e616dbf0
Instruction ID: fa79e2c9843cb9ef28a42ad733d2f35b0ceb499a4a4aa90ee714ee12e7de26a0
Opcode Fuzzy Hash: a94105be634c4c39a67fe688ed45810982f6bbb2f03047b3f8e74219e616dbf0
Instruction Fuzzy Hash: B6C04C6140D7C1DFCB138BA0581A6923FB65F4721571A00EBD891CE197D63A045AD726

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment-Order #24560274 for 8,380 USD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msbuild.exe_8c87657e7f4436c9bc615563fd86f2ef7eb379e_833cf7ea_edbdef1e-03ce-41a2-802a-63ffe250d54f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C7D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DF5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E16.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Payment-Order #24560274 for 8,380 USD.exe

Function 00007FF7A6551460 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Function 00007FF7A6559340 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Function 00007FF7A656C9B6 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 393
COMMON

Function 00007FF7A6551010 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103
COMMON

Function 00007FF7A654B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Function 00007FF7A6544740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108
COMMON

Function 00007FF7A65454E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
sleepCOMMON

Function 00007FF7A654BA80 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Function 00007FF7A6550E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Function 00007FF7A6582320 Relevance: 5.1, APIs: 4, Instructions: 83
COMMON

Function 00007FF7A65516E0 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Function 00007FF7A655759B Relevance: 3.1, APIs: 2, Instructions: 106
COMMON

Function 00007FF7A65AB610 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Function 00007FF7A654BA40 Relevance: 3.0, APIs: 2, Instructions: 18
threadCOMMON