Windows Analysis Report
orderconfirmation.exe

AV Detection

Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: gutterydhowi.shop	Avira URL Cloud: Label: malware
Source: drawzhotdog.shop	Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop	Avira URL Cloud: Label: malware
Source: vozmeatillu.shop	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Temp\ckmfqeimpicbuy

Avira: detection malicious, Label: HEUR/AGEN.1318482

Source: explorer.exe.7928.9.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["ghostreedmnu.shop", "vozmeatillu.shop", "drawzhotdog.shop", "stogeneratmns.shop", "teenylogicod.shop", "reinforcenh.shop", "gutterydhowi.shop", "fragnantbui.shop", "offensivedzvju.shop"], "Build id": "DtiPjR--NashTraff"}

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: teenylogicod.shop
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000009.00000002.1681938549.000000000027D000.00000002.00000001.01000000.00000000.sdmp	String decryptor: DtiPjR--NashTraff

Compliance

Source: orderconfirmation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\orderconfirmation.exe

File opened: C:\Users\user\AppData\Local\Temp\msvcr100.dll

Jump to behavior

Source:	Binary string: msvcp100.amd64.pdb source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1417369534.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422273891.000000006179F000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1477771422.000000006153F000.00000002.00000001.01000000.0000000F.sdmp, msvcp100.dll.2.dr
Source:	Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxDDU\VBoxDDU.pdb source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1418137709.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1423065431.00007FFBAB8E5000.00000002.00000001.01000000.00000006.sdmp, Virtual.exe, 00000003.00000002.1478925227.00007FFBAB885000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: msvcr100.amd64.pdb source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422104815.0000000061701000.00000002.00000001.01000000.00000009.sdmp, Virtual.exe, 00000002.00000003.1417587234.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477963143.0000000061621000.00000002.00000001.01000000.0000000E.sdmp, msvcr100.dll.2.dr, msvcr100.dll.0.dr
Source:	Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxSVC\VBoxSVC.pdb source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: ntdll.pdb source: Virtual.exe, 00000002.00000002.1421706058.0000000003519000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1421846022.0000000003910000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477438432.0000000003E56000.00000004.00000001.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477068006.000000000385B000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477228614.0000000003C50000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000004.00000002.1682634371.000000000500D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1683019066.0000000005470000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682537513.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682361980.00000000051A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Virtual.exe, 00000002.00000002.1421706058.0000000003519000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1421846022.0000000003910000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477438432.0000000003E56000.00000004.00000001.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477068006.000000000385B000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477228614.0000000003C50000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxRT\VBoxRT.pdb source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422833949.00007FFBAAC45000.00000002.00000001.01000000.00000007.sdmp, Virtual.exe, 00000003.00000002.1478677352.00007FFBAA515000.00000002.00000001.01000000.0000000D.sdmp, VBoxRT.dll.0.dr
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000004.00000002.1682634371.000000000500D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1683019066.0000000005470000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682537513.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682361980.00000000051A5000.00000004.00000020.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,		0_2_0040301A
Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,		0_2_00402B79
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616983E8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_616983E8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616963E4 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_616963E4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616923A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose,		2_2_616923A0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616944A8 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,SetErrorMode,		2_2_616944A8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616949E4 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,		2_2_616949E4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6169885C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_6169885C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616968D8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_616968D8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61697B1C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_61697B1C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61696DDC __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_61696DDC
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61692C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose,		2_2_61692C0C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61693F10 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,		2_2_61693F10
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61697F84 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_61697F84
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61695EE8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_61695EE8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B83E8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B83E8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B63E4 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B63E4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B23A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose,		3_2_615B23A0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B44A8 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,SetErrorMode,		3_2_615B44A8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B49E4 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,		3_2_615B49E4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B885C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B885C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B68D8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B68D8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B7B1C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B7B1C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B6DDC __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B6DDC
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B2C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose,		3_2_615B2C0C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B3F10 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,		3_2_615B3F10
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B7F84 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B7F84
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B5EE8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B5EE8

Networking

Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: teenylogicod.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop

Source: Virtual.exe, 00000003.00000002.1476869125.0000000003520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: orderconfirmation.exe, 00000000.00000003.1405215894.000000000254A000.00000004.00001000.00020000.00000000.sdmp, orderconfirmation.exe, 00000000.00000003.1404300449.0000000003060000.00000004.00000020.00020000.00000000.sdmp, orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1419101660.000000000330F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1418137709.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Virtual.exe, 00000002.00000002.1421556769.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476869125.0000000003520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicer
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422833949.00007FFBAAC45000.00000002.00000001.01000000.00000007.sdmp, Virtual.exe, 00000003.00000002.1478677352.00007FFBAA515000.00000002.00000001.01000000.0000000D.sdmp, VBoxRT.dll.0.dr	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: orderconfirmation.exe, 00000000.00000003.1405215894.000000000254A000.00000004.00001000.00020000.00000000.sdmp, orderconfirmation.exe, 00000000.00000003.1404300449.0000000003060000.00000004.00000020.00020000.00000000.sdmp, orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1419101660.000000000330F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1418137709.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: VBoxRT.dll.2.dr	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422833949.00007FFBAAC45000.00000002.00000001.01000000.00000007.sdmp, Virtual.exe, 00000003.00000002.1478677352.00007FFBAA515000.00000002.00000001.01000000.0000000D.sdmp, VBoxRT.dll.0.dr, VBoxRT.dll.2.dr	String found in binary or memory: http://relaxng.org/ns/structure/1.0allocating
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: orderconfirmation.exe, 00000000.00000003.1405215894.000000000254A000.00000004.00001000.00020000.00000000.sdmp, orderconfirmation.exe, 00000000.00000003.1404300449.0000000003060000.00000004.00000020.00020000.00000000.sdmp, orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1419101660.000000000330F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1418137709.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: orderconfirmation.exe, 00000000.00000003.1405215894.000000000254A000.00000004.00001000.00020000.00000000.sdmp, orderconfirmation.exe, 00000000.00000003.1404300449.0000000003060000.00000004.00000020.00020000.00000000.sdmp, orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1419101660.000000000330F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1418137709.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: orderconfirmation.exe, 00000000.00000003.1405215894.000000000254A000.00000004.00001000.00020000.00000000.sdmp, orderconfirmation.exe, 00000000.00000003.1404300449.0000000003060000.00000004.00000020.00020000.00000000.sdmp, orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1419101660.000000000330F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1418137709.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://virtualbox.org/firmware/VBoxEFI32.fd
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://virtualbox.org/firmware/VBoxEFI32.fdVBoxEFI64.fdhttp://virtualbox.org/firmware/VBoxEFI64.fdVB
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://virtualbox.org/firmware/VBoxEFI64.fd
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://virtualbox.org/firmware/VBoxEFIDual.fd
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Virtual.exe, 00000002.00000002.1421616749.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.0000000003725000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.0000000005360000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.000000000505B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.innotek.de/VirtualBox-settings
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422833949.00007FFBAAC45000.00000002.00000001.01000000.00000007.sdmp, Virtual.exe, 00000003.00000002.1478677352.00007FFBAA515000.00000002.00000001.01000000.0000000D.sdmp, VBoxRT.dll.0.dr, VBoxRT.dll.2.dr	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422833949.00007FFBAAC45000.00000002.00000001.01000000.00000007.sdmp, Virtual.exe, 00000003.00000002.1478677352.00007FFBAA515000.00000002.00000001.01000000.0000000D.sdmp, VBoxRT.dll.0.dr, VBoxRT.dll.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422833949.00007FFBAAC45000.00000002.00000001.01000000.00000007.sdmp, Virtual.exe, 00000003.00000002.1478677352.00007FFBAA515000.00000002.00000001.01000000.0000000D.sdmp, VBoxRT.dll.0.dr, VBoxRT.dll.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................D:
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.virtualbox.org/ovf/machine
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.vmware.com/interfaces/specifications/vmdk.html#compressed
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.vmware.com/interfaces/specifications/vmdk.html#compressedhttp://www.vmware.com/specificat
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.vmware.com/schema/ovf/1/envelope
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.vmware.com/specifications/vmdk.html#compressed
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.vmware.com/specifications/vmdk.html#sparse
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.vmware.com/specifications/vmdk.html#sparsehttp://www.vmware.com/interfaces/specifications
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: Virtual.exe, 00000002.00000002.1421616749.000000000343F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1476960455.000000000377B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1682925278.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Source: initial sample

Static PE information: Filename: orderconfirmation.exe

Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: 0_2_00404FAA		0_2_00404FAA
Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: 0_2_0041206B		0_2_0041206B
Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: 0_2_0041022D		0_2_0041022D
Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: 0_2_00411F91		0_2_00411F91
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616AB1E0		2_2_616AB1E0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6169A1F0		2_2_6169A1F0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A8194		2_2_616A8194
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616C3050		2_2_616C3050
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616F0008		2_2_616F0008
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616AA0EC		2_2_616AA0EC
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6167D0E8		2_2_6167D0E8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6169C350		2_2_6169C350
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616DA2BC		2_2_616DA2BC
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616EE2B8		2_2_616EE2B8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616ED2B4		2_2_616ED2B4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A0288		2_2_616A0288
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A9294		2_2_616A9294
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6167B298		2_2_6167B298
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616EF558		2_2_616EF558
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6169F454		2_2_6169F454
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616AA410		2_2_616AA410
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616F74DC		2_2_616F74DC
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A24D0		2_2_616A24D0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616944A8		2_2_616944A8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A84BC		2_2_616A84BC
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6169A760		2_2_6169A760
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616AA77C		2_2_616AA77C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6168D73C		2_2_6168D73C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616DB7E4		2_2_616DB7E4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6169B7C4		2_2_6169B7C4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A27AC		2_2_616A27AC
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6168B624		2_2_6168B624
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616AC6A0		2_2_616AC6A0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A56B8		2_2_616A56B8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616806B0		2_2_616806B0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A5958		2_2_616A5958
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6169A92C		2_2_6169A92C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616949E4		2_2_616949E4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A28D4		2_2_616A28D4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6167D8B4		2_2_6167D8B4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6168C894		2_2_6168C894
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A2BF4		2_2_616A2BF4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616DCBA0		2_2_616DCBA0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A5B88		2_2_616A5B88
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A7AF4		2_2_616A7AF4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61699AAC		2_2_61699AAC
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A5A94		2_2_616A5A94
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A4D40		2_2_616A4D40
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61690DCC		2_2_61690DCC
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A7DB0		2_2_616A7DB0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A9C74		2_2_616A9C74
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61698CF8		2_2_61698CF8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616C7F74		2_2_616C7F74
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A9F44		2_2_616A9F44
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616EDF5C		2_2_616EDF5C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61693F10		2_2_61693F10
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6169BE1C		2_2_6169BE1C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616A8E10		2_2_616A8E10
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616AAE9C		2_2_616AAE9C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6178F2D4		2_2_6178F2D4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6175E5F8		2_2_6175E5F8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6177B5B8		2_2_6177B5B8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61779580		2_2_61779580
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6177D46C		2_2_6177D46C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_617804D0		2_2_617804D0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_617864B8		2_2_617864B8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61790740		2_2_61790740
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61794714		2_2_61794714
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6178E638		2_2_6178E638
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_617956E8		2_2_617956E8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6177692C		2_2_6177692C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6177A84C		2_2_6177A84C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6178DB68		2_2_6178DB68
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61779B60		2_2_61779B60
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6176DD3C		2_2_6176DD3C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6177CD3C		2_2_6177CD3C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61793E34		2_2_61793E34
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61783E0C		2_2_61783E0C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61781EF4		2_2_61781EF4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6177AE88		2_2_6177AE88
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6152F2D4		3_2_6152F2D4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_614FE5F8		3_2_614FE5F8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_61519580		3_2_61519580
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6151B5B8		3_2_6151B5B8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6151D46C		3_2_6151D46C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615204D0		3_2_615204D0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615264B8		3_2_615264B8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_61530740		3_2_61530740
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_61534714		3_2_61534714
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6152E638		3_2_6152E638
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615356E8		3_2_615356E8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6151692C		3_2_6151692C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6151A84C		3_2_6151A84C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_61519B60		3_2_61519B60
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6152DB68		3_2_6152DB68
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6150DD3C		3_2_6150DD3C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6151CD3C		3_2_6151CD3C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_61523E0C		3_2_61523E0C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_61533E34		3_2_61533E34
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_61521EF4		3_2_61521EF4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6151AE88		3_2_6151AE88
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615BA1F0		3_2_615BA1F0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615CB1E0		3_2_615CB1E0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C8194		3_2_615C8194
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615E3050		3_2_615E3050
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_61610008		3_2_61610008
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615CA0EC		3_2_615CA0EC
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6159D0E8		3_2_6159D0E8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615BC350		3_2_615BC350
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6159B298		3_2_6159B298
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C9294		3_2_615C9294
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C0288		3_2_615C0288
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6160D2B4		3_2_6160D2B4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6160E2B8		3_2_6160E2B8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615FA2BC		3_2_615FA2BC
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6160F558		3_2_6160F558
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615BF454		3_2_615BF454
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615CA410		3_2_615CA410
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C24D0		3_2_615C24D0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_616174DC		3_2_616174DC
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C84BC		3_2_615C84BC
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B44A8		3_2_615B44A8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615CA77C		3_2_615CA77C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615BA760		3_2_615BA760
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615AD73C		3_2_615AD73C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615BB7C4		3_2_615BB7C4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615FB7E4		3_2_615FB7E4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C27AC		3_2_615C27AC
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615AB624		3_2_615AB624
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C56B8		3_2_615C56B8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615A06B0		3_2_615A06B0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615CC6A0		3_2_615CC6A0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C5958		3_2_615C5958
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615D7938		3_2_615D7938
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615BA92C		3_2_615BA92C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B49E4		3_2_615B49E4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C28D4		3_2_615C28D4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615AC894		3_2_615AC894
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6159D8B4		3_2_6159D8B4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C2BF4		3_2_615C2BF4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6160EBD8		3_2_6160EBD8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C5B88		3_2_615C5B88
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615FCBA0		3_2_615FCBA0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C7AF4		3_2_615C7AF4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C5A94		3_2_615C5A94
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B9AAC		3_2_615B9AAC
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C4D40		3_2_615C4D40
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B0DCC		3_2_615B0DCC
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C7DB0		3_2_615C7DB0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C9C74		3_2_615C9C74
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B8CF8		3_2_615B8CF8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C9F44		3_2_615C9F44
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615E7F74		3_2_615E7F74
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_6160DF5C		3_2_6160DF5C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B3F10		3_2_615B3F10
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615BBE1C		3_2_615BBE1C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615C8E10		3_2_615C8E10
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615CAE9C		3_2_615CAE9C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Virtual.exe 448402C129A721812FA1C5F279F5CA906B9C8BBCA652A91655D144D20CE5E6B4

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: String function: 6175F96C appears 38 times
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: String function: 614FF96C appears 38 times
Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: String function: 0040243B appears 37 times

Source: orderconfirmation.exe, 00000000.00000003.1396839177.000000000244D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs orderconfirmation.exe
Source: orderconfirmation.exe, 00000000.00000000.1395125620.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs orderconfirmation.exe
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp100.dll^ vs orderconfirmation.exe
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs orderconfirmation.exe
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVBoxSVC.exeJ vs orderconfirmation.exe
Source: orderconfirmation.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs orderconfirmation.exe

Source: orderconfirmation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/16@0/0

Source: C:\Users\user\Desktop\orderconfirmation.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\user\Desktop\orderconfirmation.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\user\Desktop\orderconfirmation.exe

Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004034C1

Source: C:\Users\user\Desktop\orderconfirmation.exe

Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401BDF

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe

File created: C:\Users\user\AppData\Roaming\fmBrowserumz_test

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03

Source: C:\Users\user\Desktop\orderconfirmation.exe

File created: C:\Users\user\AppData\Local\Temp\Package

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: orderconfirmation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\orderconfirmation.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\orderconfirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\orderconfirmation.exe

File read: C:\Users\user\Desktop\orderconfirmation.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\orderconfirmation.exe "C:\Users\user\Desktop\orderconfirmation.exe"
Source: C:\Users\user\Desktop\orderconfirmation.exe	Process created: C:\Users\user\AppData\Local\Temp\Virtual.exe "C:\Users\user\AppData\Local\Temp\Virtual.exe"
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Process created: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\orderconfirmation.exe	Process created: C:\Users\user\AppData\Local\Temp\Virtual.exe "C:\Users\user\AppData\Local\Temp\Virtual.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Process created: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\orderconfirmation.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: newdev.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: vboxddu.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: vboxrt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: msvcr100.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: msvcp100.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: msvcr100.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: vboxrt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: msvcr100.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: msvcp100.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: devrtl.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: msvcr100.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: pla.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: pdh.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: tdh.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: wevtapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: shdocvw.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: newdev.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: vboxddu.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: vboxrt.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: msvcr100.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: msvcp100.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: msvcr100.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: vboxrt.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: newdev.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: devrtl.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: pla.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: pdh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: tdh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: wevtapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: shdocvw.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll			Jump to behavior

Source: orderconfirmation.exe

Static file information: File size 3678161 > 1048576

Source: C:\Users\user\Desktop\orderconfirmation.exe

File opened: C:\Users\user\AppData\Local\Temp\msvcr100.dll

Jump to behavior

Source:	Binary string: msvcp100.amd64.pdb source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1417369534.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422273891.000000006179F000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1477771422.000000006153F000.00000002.00000001.01000000.0000000F.sdmp, msvcp100.dll.2.dr
Source:	Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxDDU\VBoxDDU.pdb source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1418137709.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1423065431.00007FFBAB8E5000.00000002.00000001.01000000.00000006.sdmp, Virtual.exe, 00000003.00000002.1478925227.00007FFBAB885000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: msvcr100.amd64.pdb source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422104815.0000000061701000.00000002.00000001.01000000.00000009.sdmp, Virtual.exe, 00000002.00000003.1417587234.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477963143.0000000061621000.00000002.00000001.01000000.0000000E.sdmp, msvcr100.dll.2.dr, msvcr100.dll.0.dr
Source:	Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxSVC\VBoxSVC.pdb source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413404481.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000002.00000002.1422515618.00007FF605D77000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000000.1420725570.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: ntdll.pdb source: Virtual.exe, 00000002.00000002.1421706058.0000000003519000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1421846022.0000000003910000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477438432.0000000003E56000.00000004.00000001.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477068006.000000000385B000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477228614.0000000003C50000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000004.00000002.1682634371.000000000500D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1683019066.0000000005470000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682537513.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682361980.00000000051A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Virtual.exe, 00000002.00000002.1421706058.0000000003519000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1421846022.0000000003910000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477438432.0000000003E56000.00000004.00000001.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477068006.000000000385B000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1477228614.0000000003C50000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxRT\VBoxRT.pdb source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422833949.00007FFBAAC45000.00000002.00000001.01000000.00000007.sdmp, Virtual.exe, 00000003.00000002.1478677352.00007FFBAA515000.00000002.00000001.01000000.0000000D.sdmp, VBoxRT.dll.0.dr
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000004.00000002.1682634371.000000000500D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1683019066.0000000005470000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682537513.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1682361980.00000000051A5000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\Desktop\orderconfirmation.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: VBoxRT.dll.2.dr	Static PE information: real checksum: 0x413417 should be: 0x40d7d0
Source: VBoxRT.dll.0.dr	Static PE information: real checksum: 0x413417 should be: 0x40d7d0
Source: ckmfqeimpicbuy.4.dr	Static PE information: real checksum: 0x0 should be: 0x5e5e1
Source: orderconfirmation.exe	Static PE information: real checksum: 0x33302 should be: 0x3875fb

Source: msvcr100.dll.0.dr	Static PE information: section name: _CONST
Source: msvcr100.dll.0.dr	Static PE information: section name: text
Source: msvcr100.dll.2.dr	Static PE information: section name: _CONST
Source: msvcr100.dll.2.dr	Static PE information: section name: text
Source: ckmfqeimpicbuy.4.dr	Static PE information: section name: uyk

Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: 0_2_00411C20 push eax; ret		0_2_00411C4E
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_617629CA push rcx; ret		2_2_617629CB
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615029CA push rcx; ret		3_2_615029CB

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\orderconfirmation.exe	File created: C:\Users\user\AppData\Local\Temp\Virtual.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	File created: C:\Users\user\AppData\Roaming\fmBrowserumz_test\VBoxDDU.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	File created: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ckmfqeimpicbuy			Jump to dropped file
Source: C:\Users\user\Desktop\orderconfirmation.exe	File created: C:\Users\user\AppData\Local\Temp\VBoxDDU.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	File created: C:\Users\user\AppData\Roaming\fmBrowserumz_test\VBoxRT.dll			Jump to dropped file
Source: C:\Users\user\Desktop\orderconfirmation.exe	File created: C:\Users\user\AppData\Local\Temp\VBoxRT.dll			Jump to dropped file
Source: C:\Users\user\Desktop\orderconfirmation.exe	File created: C:\Users\user\AppData\Local\Temp\msvcr100.dll			Jump to dropped file
Source: C:\Users\user\Desktop\orderconfirmation.exe	File created: C:\Users\user\AppData\Local\Temp\msvcp100.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	File created: C:\Users\user\AppData\Roaming\fmBrowserumz_test\msvcr100.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	File created: C:\Users\user\AppData\Roaming\fmBrowserumz_test\msvcp100.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\ckmfqeimpicbuy

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\cmd.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CKMFQEIMPICBUY

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe

Code function: 2_2_6168D73C GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,

2_2_6168D73C

Source: C:\Users\user\Desktop\orderconfirmation.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6D4C3B54
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: DFA317

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe

Code function: 2_2_6168B878 rdtsc

2_2_6168B878

Source: C:\Windows\SysWOW64\cmd.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ckmfqeimpicbuy

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	API coverage: 0.5 %
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	API coverage: 0.5 %

Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,		0_2_0040301A
Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,		0_2_00402B79
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616983E8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_616983E8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616963E4 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_616963E4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616923A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose,		2_2_616923A0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616944A8 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,SetErrorMode,		2_2_616944A8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616949E4 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,		2_2_616949E4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_6169885C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_6169885C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616968D8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_616968D8
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61697B1C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_61697B1C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61696DDC __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_61696DDC
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61692C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose,		2_2_61692C0C
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61693F10 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,		2_2_61693F10
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61697F84 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_61697F84
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61695EE8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		2_2_61695EE8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B83E8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B83E8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B63E4 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B63E4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B23A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose,		3_2_615B23A0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B44A8 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,SetErrorMode,		3_2_615B44A8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B49E4 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,		3_2_615B49E4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B885C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B885C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B68D8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B68D8
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B7B1C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B7B1C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B6DDC __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B6DDC
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B2C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose,		3_2_615B2C0C
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B3F10 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,		3_2_615B3F10
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B7F84 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B7F84
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_615B5EE8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,		3_2_615B5EE8

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe

Code function: 2_2_616799E0 GetSystemInfo,GetVersionExW,GetModuleHandleW,GetProcAddress,GetLastError,GetLogicalProcessorInformation,GetLastError,GetLastError,malloc,GetLogicalProcessorInformation,GetLastError,GetLastError,GetLastError,malloc,GetLastError,free,

2_2_616799E0

Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: http://www.vmware.com/schema/ovf/1/envelope
Source: Virtual.exe, 00000003.00000002.1476869125.0000000003520000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: uuidvbox:uuid%RTuuidovf:formathttp://www.vmware.com/specifications/vmdk.html#sparsehttp://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimizedovf:fileRefovf:diskIdovf:capacityDiskovf:hrefFilefile%RI32VMDKLogical network used by this appliance.ovf:nameExportedVirtualBoxMachinesVirtualSystemCollectionCannot export more than one virtual system with OVF 0.9, use OVF 1.0Logical networks used in the packageNetworkSectionovf:NetworkSection_TypeList of the virtual disks used in the packageDiskSectionovf:DiskSection_TypeReferencesxmlns:vboxhttp://www.virtualbox.org/ovf/machinexmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexmlns:vssdhttp://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingDataxmlns:rasdhttp://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingDataxmlns:ovfxmlnshttp://schemas.dmtf.org/ovf/envelope/1http://www.vmware.com/schema/ovf/1/envelopexml:langen-USovf:version0.92.0Envelope"
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: %s/VBoxGuestAdditions_%ls.iso
Source: explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: /additions/VBoxGuestAdditions.iso
Source: explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: VBoxRT.dll.2.dr	Binary or memory string: using the native ring-0 loaderpLoadReq->u.In.cbStrTab == CalcArgs.cbStrings(size_t)(CreateArgs.pSym - (PSUPLDRSYM)&pLoadReq->u.In.abImage[offSymTab]) <= CalcArgs.cSymbols(size_t)(CreateArgs.psz - CreateArgs.pszBase) <= CalcArgs.cbStringsint __cdecl supLoadModule(const char *,const char *,const char *,void **)ModuleTermModuleInitVMMR0EntryExVMMR0EntryFastVMMR0EntryIntsupLoadModule returned %RrcVBoxDrvVBox Support Driver\VBoxDrv.sys\\.\VBoxDrvVBoxNetDHCP.dllVBoxNetDHCP.exevboxwebsrv.exeVBoxBFE.dllVBoxBFE.exeVBoxSDL.dllVBoxSDL.exeVirtualBox.dllVirtualBox.exeVBoxVideoRecFB.dllVBoxHeadless.dllVBoxHeadless.exeVBoxVRDP.dllVBoxAuth.dllVRDPAuth.dllVBoxC.dllVBoxSVC.exeVBoxManage.exeVBoxOGLrenderspu.dllVBoxOGLhosterrorspu.dllVBoxOGLhostcrutil.dllVBoxSharedCrOpenGL.dllVBoxHostChannel.dllVBoxGuestControlSvc.dllVBoxGuestPropSvc.dllVBoxDragAndDropSvc.dllVBoxSharedFolders.dllVBoxSharedClipboard.dllVBoxDbg3.dllVBoxDbg.dllVBoxDDU.dllVBoxDD2.dllVBoxDD.dllVBoxREM.dllVBoxVMM.dllVBoxRT.dllVBoxDD2GC.gcVBoxDDGC.gcVMMGC.gcVBoxDD2R0.r0VBoxDDR0.r0
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1419101660.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1413508072.00007FF605E53000.00000002.00000001.01000000.00000005.sdmp, Virtual.exe, 00000003.00000002.1478387442.00007FF6AEB43000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: AdditionsFacilityType_VBoxTrayClient
Source: Virtual.exe, 00000003.00000002.1478387442.00007FF6AEB43000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: aVmNetTx
Source: Virtual.exe, 00000003.00000002.1478387442.00007FF6AEB43000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: aVmNetRx
Source: explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: VBoxRT.dll.2.dr	Binary or memory string: The service was disabled on the host. Returned by pfnInit in VBoxService to indicated a non-fatal error that should results in the particular service being disabled.
Source: explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: VBoxRT.dll.2.dr	Binary or memory string: VBoxGuestPropSvc.dll
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: /VBoxGuestAdditions.iso
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Given default machine Guest Additions ISO file '%s' does not existGiven default machine Guest Additions ISO file '%s' is not fully qualifiedCannot determine default Guest Additions ISO location. Most likely they are not available%s/VBoxGuestAdditions_%ls.iso/additions/VBoxGuestAdditions.iso/VBoxGuestAdditions.iso
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Importing virtual disk image '%s'Could not find a valid medium format for the source disk '%s'http://www.vmware.com/interfaces/specifications/vmdk.html#compressedhttp://www.vmware.com/specifications/vmdk.html#compressedVDICreating disk image '%s'%s%c%sCould not find a valid medium format for the target disk '%s'"
Source: Virtual.exe, 00000003.00000002.1478387442.00007FF6AEB43000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: AdditionsFacilityType_VBoxGuestDriverWWW
Source: explorer.exe, 00000009.00000002.1682172865.00000000050A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: Virtual.exe, 00000003.00000002.1478387442.00007FF6AEB43000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: !0R4AdditionsFacilityType_VBoxServiceWWW
Source: VBoxRT.dll.2.dr	Binary or memory string: VBoxGuestControlSvc.dll
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422833949.00007FFBAAC45000.00000002.00000001.01000000.00000007.sdmp, Virtual.exe, 00000003.00000002.1478677352.00007FFBAA515000.00000002.00000001.01000000.0000000D.sdmp, VBoxRT.dll.0.dr, VBoxRT.dll.2.dr	Binary or memory string: VBoxTray.exe
Source: VBoxRT.dll.2.dr	Binary or memory string: IOCtl to VBoxGuest driver failed.
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: http://www.vmware.com/specifications/vmdk.html#compressed
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: http://www.vmware.com/specifications/vmdk.html#sparse
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422833949.00007FFBAAC45000.00000002.00000001.01000000.00000007.sdmp, Virtual.exe, 00000003.00000002.1478677352.00007FFBAA515000.00000002.00000001.01000000.0000000D.sdmp, VBoxRT.dll.0.dr, VBoxRT.dll.2.dr	Binary or memory string: VBoxTray.exeexplorer.exeint __cdecl rtProcWinCreateAsUser1(unsigned short *,unsigned short *,unsigned short *,unsigned short *,struct RTENVINTERNAL *,unsigned long,struct _STARTUPINFOW *,struct _PROCESS_INFORMATION *,unsigned int)pfnCreateProcessWithLogonW (%p) failed: dwErr=%u (%#x), rc=%Rrc
Source: orderconfirmation.exe, 00000000.00000003.1404300449.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1422833949.00007FFBAAC45000.00000002.00000001.01000000.00000007.sdmp, Virtual.exe, 00000003.00000002.1478677352.00007FFBAA515000.00000002.00000001.01000000.0000000D.sdmp, VBoxRT.dll.0.dr, VBoxRT.dll.2.dr	Binary or memory string: Virtual HDD is not opened.
Source: Virtual.exe, 00000003.00000002.1476869125.0000000003520000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mvmware
Source: Virtual.exe, 00000003.00000002.1478289432.00007FF6AEA67000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: http://www.vmware.com/interfaces/specifications/vmdk.html#compressed
Source: Virtual.exe, 00000003.00000002.1478387442.00007FF6AEB43000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: b!0R4AdditionsFacilityType_VBoxServiceWWW

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe

Code function: 2_2_6168B878 rdtsc

2_2_6168B878

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe

Code function: 2_2_616E02A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_616E02A4

Source: C:\Users\user\Desktop\orderconfirmation.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe

Code function: 2_2_616DECC8 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,

2_2_616DECC8

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616E02A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_616E02A4
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_616E06B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_616E06B0
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: 2_2_61796BB0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess,		2_2_61796BB0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_61536BB0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess,		3_2_61536BB0
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_616002A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_616002A4
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: 3_2_616006B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_616006B0

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBAA718E14			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtQuerySystemInformation: Direct from: 0x7FFBAA702143			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtCreateFile: Direct from: 0x35466DEF			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtCreateNamedPipeFile: Direct from: 0x2D2683C			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	NtQuerySystemInformation: Direct from: 0x9AE230			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtAllocateVirtualMemory: Direct from: 0xA0A76ACB			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtReadFile: Direct from: 0x110			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtClose: Direct from: 0x154BB10
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtClose: Direct from: 0x2
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtAllocateVirtualMemory: Direct from: 0x7FFBAA719635			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtProtectVirtualMemory: Direct from: 0x3			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtProtectVirtualMemory: Direct from: 0x6C006C			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtAllocateVirtualMemory: Direct from: 0x1542C10			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtQuerySystemInformation: Direct from: 0x7FFB40CB21D3			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	NtProtectVirtualMemory: Direct from: 0x7FFBAA7194F5			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	NtProtectVirtualMemory: Direct from: 0x7FFBCB7626A1			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 7928 base: DF79C0 value: 55			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 7928 base: 230000 value: 00			Jump to behavior

Source: cmd.exe, 00000004.00000002.1682478050.0000000003330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: cmd.exe, 00000004.00000002.1682478050.0000000003330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: cmd.exe, 00000004.00000002.1682478050.0000000003330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: cmd.exe, 00000004.00000002.1682478050.0000000003330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: cmd.exe, 00000004.00000002.1682478050.0000000003330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: cmd.exe, 00000004.00000002.1682478050.0000000003330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: cmd.exe, 00000004.00000002.1682478050.0000000003330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: cmd.exe, 00000004.00000002.1682478050.0000000003330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: cmd.exe, 00000004.00000002.1682478050.0000000003330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: teenylogicod.shop

Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: DF79C0			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 230000			Jump to behavior

Source: C:\Users\user\Desktop\orderconfirmation.exe	Process created: C:\Users\user\AppData\Local\Temp\Virtual.exe "C:\Users\user\AppData\Local\Temp\Virtual.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\orderconfirmation.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Source: C:\Users\user\Desktop\orderconfirmation.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,		0_2_00401F9D
Source: C:\Users\user\AppData\Local\Temp\Virtual.exe	Code function: ___lc_handle_func,GetLocaleInfoW,		2_2_61789460
Source: C:\Users\user\AppData\Roaming\fmBrowserumz_test\Virtual.exe	Code function: ___lc_handle_func,GetLocaleInfoW,		3_2_61529460

Source: C:\Users\user\Desktop\orderconfirmation.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\user\AppData\Local\Temp\Virtual.exe

Code function: 2_2_616A7DB0 _errno,_invalid_parameter_noinfo,__tzset,_get_daylight,GetSystemTimeAsFileTime,GetTimeZoneInformation,_ftime64_s,

2_2_616A7DB0

Source: C:\Users\user\Desktop\orderconfirmation.exe

Code function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Stealing of Sensitive Information

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR