Loading ...

Play interactive tourEdit tour

Analysis Report Payment Advice.exe

Overview

General Information

Sample Name:Payment Advice.exe
Analysis ID:299287
MD5:87a02b519d1996024a3a91cadd04fa9d
SHA1:d9156e20f9df8df33b1d6b970e19277871a40b09
SHA256:41e247af1c9e83534cd1a251b618432759435c3f9c9dfd2c8760f712a6ccc5a4
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment Advice.exe (PID: 6344 cmdline: 'C:\Users\user\Desktop\Payment Advice.exe' MD5: 87A02B519D1996024A3A91CADD04FA9D)
    • Payment Advice.exe (PID: 6408 cmdline: {path} MD5: 87A02B519D1996024A3A91CADD04FA9D)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6900 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • msiexec.exe (PID: 6944 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 1752 cmdline: /c del 'C:\Users\user\Desktop\Payment Advice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.288097516.0000000000C50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.288097516.0000000000C50000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.288097516.0000000000C50000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.505431287.0000000002F10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.505431287.0000000002F10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Payment Advice.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.Payment Advice.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.Payment Advice.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Payment Advice.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Payment Advice.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Payment Advice.exeVirustotal: Detection: 49%Perma Link
          Source: Payment Advice.exeReversingLabs: Detection: 45%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.288097516.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505431287.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288040030.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505528656.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.287225293.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505064195.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.251116966.000000000399B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Payment Advice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Payment Advice.exeJoe Sandbox ML: detected
          Source: 1.2.Payment Advice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 4x nop then pop edi1_2_00416CA4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi8_2_02D06CA4

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.7:49741
          Source: global trafficHTTP traffic detected: GET /ga4/?lHNl=xCMe8TEEQeGHL7NYIadhCIXnyUmnU5I9ErqRFjmWuYFeYalp5f1evTEH12QixUF/1KbMli6PTQ==&D8k8=O0DHsL6Hd HTTP/1.1Host: www.zoomforyourhealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ga4/?lHNl=YJsPUx3mPs6gDQF5QVnuDXpId8Od6s/y7DQYc8YoikEsp0SPvgTtlxn9JJsDEPJ+DKOL/qhXSA==&D8k8=O0DHsL6Hd HTTP/1.1Host: www.pawhot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ga4/?lHNl=IEWYQCkd5Ccf1VBB+B8zkvP/o1fSimwcqFHGBmQJ0LttAjxG82j3ncBxV3KSNWT6GLhsr0hisA==&D8k8=O0DHsL6Hd HTTP/1.1Host: www.ilikecircles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /ga4/?lHNl=xCMe8TEEQeGHL7NYIadhCIXnyUmnU5I9ErqRFjmWuYFeYalp5f1evTEH12QixUF/1KbMli6PTQ==&D8k8=O0DHsL6Hd HTTP/1.1Host: www.zoomforyourhealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ga4/?lHNl=YJsPUx3mPs6gDQF5QVnuDXpId8Od6s/y7DQYc8YoikEsp0SPvgTtlxn9JJsDEPJ+DKOL/qhXSA==&D8k8=O0DHsL6Hd HTTP/1.1Host: www.pawhot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ga4/?lHNl=IEWYQCkd5Ccf1VBB+B8zkvP/o1fSimwcqFHGBmQJ0LttAjxG82j3ncBxV3KSNWT6GLhsr0hisA==&D8k8=O0DHsL6Hd HTTP/1.1Host: www.ilikecircles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.zoomforyourhealth.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Fri, 16 Oct 2020 13:46:00 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.265096095.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.271545385.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.288097516.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505431287.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288040030.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505528656.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.287225293.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505064195.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.251116966.000000000399B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Payment Advice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.288097516.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.288097516.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.505431287.0000000002F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.505431287.0000000002F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.288040030.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.288040030.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.505528656.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.505528656.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.287225293.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.287225293.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.505064195.0000000002CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.505064195.0000000002CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.251116966.000000000399B000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.251116966.000000000399B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Payment Advice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Payment Advice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Payment Advice.exe
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_0A5401A2 NtQuerySystemInformation,0_2_0A5401A2
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_0A540167 NtQuerySystemInformation,0_2_0A540167
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00419D5A NtCreateFile,1_2_00419D5A
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00419DB2 NtCreateFile,1_2_00419DB2
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00419E0C NtReadFile,1_2_00419E0C
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00419F3C NtAllocateVirtualMemory,1_2_00419F3C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9840 NtDelayExecution,LdrInitializeThunk,8_2_04CB9840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9860 NtQuerySystemInformation,LdrInitializeThunk,8_2_04CB9860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB95D0 NtClose,LdrInitializeThunk,8_2_04CB95D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB99A0 NtCreateSection,LdrInitializeThunk,8_2_04CB99A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9540 NtReadFile,LdrInitializeThunk,8_2_04CB9540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_04CB9910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB96D0 NtCreateKey,LdrInitializeThunk,8_2_04CB96D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB96E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_04CB96E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9A50 NtCreateFile,LdrInitializeThunk,8_2_04CB9A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9650 NtQueryValueKey,LdrInitializeThunk,8_2_04CB9650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04CB9660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9FE0 NtCreateMutant,LdrInitializeThunk,8_2_04CB9FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9780 NtMapViewOfSection,LdrInitializeThunk,8_2_04CB9780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9710 NtQueryInformationToken,LdrInitializeThunk,8_2_04CB9710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB98F0 NtReadVirtualMemory,8_2_04CB98F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB98A0 NtWriteVirtualMemory,8_2_04CB98A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CBB040 NtSuspendThread,8_2_04CBB040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9820 NtEnumerateKey,8_2_04CB9820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB99D0 NtCreateProcessEx,8_2_04CB99D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB95F0 NtQueryInformationFile,8_2_04CB95F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9950 NtQueueApcThread,8_2_04CB9950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9560 NtWriteFile,8_2_04CB9560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9520 NtWaitForSingleObject,8_2_04CB9520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CBAD30 NtSetContextThread,8_2_04CBAD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9A80 NtOpenDirectoryObject,8_2_04CB9A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9670 NtQueryInformationProcess,8_2_04CB9670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9A00 NtProtectVirtualMemory,8_2_04CB9A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9A10 NtQuerySection,8_2_04CB9A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9610 NtEnumerateValueKey,8_2_04CB9610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9A20 NtResumeThread,8_2_04CB9A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB97A0 NtUnmapViewOfSection,8_2_04CB97A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CBA3B0 NtGetContextThread,8_2_04CBA3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9760 NtOpenProcess,8_2_04CB9760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9770 NtSetInformationFile,8_2_04CB9770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CBA770 NtOpenThread,8_2_04CBA770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9B00 NtSetValueKey,8_2_04CB9B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CBA710 NtOpenProcessToken,8_2_04CBA710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB9730 NtQueryVirtualMemory,8_2_04CB9730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D09E90 NtClose,8_2_02D09E90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D09E10 NtReadFile,8_2_02D09E10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D09F40 NtAllocateVirtualMemory,8_2_02D09F40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D09D60 NtCreateFile,8_2_02D09D60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D09E0C NtReadFile,8_2_02D09E0C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D09F3C NtAllocateVirtualMemory,8_2_02D09F3C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D09DB2 NtCreateFile,8_2_02D09DB2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D09D5A NtCreateFile,8_2_02D09D5A
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_049700700_2_04970070
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_049702F20_2_049702F2
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_049700060_2_04970006
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B1D4600_2_04B1D460
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B190500_2_04B19050
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B16DF00_2_04B16DF0
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B131E80_2_04B131E8
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B14EC00_2_04B14EC0
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B142740_2_04B14274
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B156480_2_04B15648
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B1DFA80_2_04B1DFA8
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B15F280_2_04B15F28
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B18C300_2_04B18C30
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B1C8000_2_04B1C800
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B18C400_2_04B18C40
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B16D990_2_04B16D99
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B16D070_2_04B16D07
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B18E900_2_04B18E90
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B18E800_2_04B18E80
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B14E250_2_04B14E25
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B14E110_2_04B14E11
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B10A700_2_04B10A70
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B1C2600_2_04B1C260
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B18A600_2_04B18A60
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B17A680_2_04B17A68
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B18A500_2_04B18A50
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B17A590_2_04B17A59
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B1D6580_2_04B1D658
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B187290_2_04B18729
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_04B19B130_2_04B19B13
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_004010261_2_00401026
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041D9EC1_2_0041D9EC
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041D2E81_2_0041D2E8
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041DC191_2_0041DC19
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00409E3B1_2_00409E3B
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041DF0B1_2_0041DF0B
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041D71D1_2_0041D71D
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041CFA61_2_0041CFA6
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C8B0908_2_04C8B090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D310028_2_04D31002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C8841F8_2_04C8841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D41D558_2_04D41D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C7F9008_2_04C7F900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C70D208_2_04C70D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C941208_2_04C94120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C96E308_2_04C96E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CAEBB08_2_04CAEBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02CF9E408_2_02CF9E40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02CF9E3B8_2_02CF9E3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D0CFA68_2_02D0CFA6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02CF2FB08_2_02CF2FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02CF2D878_2_02CF2D87
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02CF2D908_2_02CF2D90
          Source: Payment Advice.exe, 00000000.00000002.248689166.0000000000350000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyYD vs Payment Advice.exe
          Source: Payment Advice.exe, 00000000.00000002.252388208.0000000005010000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Payment Advice.exe
          Source: Payment Advice.exe, 00000000.00000002.251677961.0000000004B90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHutaba.dll, vs Payment Advice.exe
          Source: Payment Advice.exe, 00000000.00000002.251714952.0000000004BE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Payment Advice.exe
          Source: Payment Advice.exe, 00000001.00000002.288638456.000000000123F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment Advice.exe
          Source: Payment Advice.exe, 00000001.00000002.288259182.00000000010EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs Payment Advice.exe
          Source: Payment Advice.exe, 00000001.00000000.247684642.00000000006B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyYD vs Payment Advice.exe
          Source: Payment Advice.exeBinary or memory string: OriginalFilenameyYD vs Payment Advice.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: 00000001.00000002.288097516.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.288097516.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.505431287.0000000002F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.505431287.0000000002F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.288040030.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.288040030.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.505528656.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.505528656.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.287225293.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.287225293.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.505064195.0000000002CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.505064195.0000000002CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.251116966.000000000399B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.251116966.000000000399B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Payment Advice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Payment Advice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@4/3
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_00B1BB3A AdjustTokenPrivileges,0_2_00B1BB3A
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_00B1BB03 AdjustTokenPrivileges,0_2_00B1BB03
          Source: C:\Users\user\Desktop\Payment Advice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment Advice.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4472:120:WilError_01
          Source: Payment Advice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Payment Advice.exeVirustotal: Detection: 49%
          Source: Payment Advice.exeReversingLabs: Detection: 45%
          Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice.exe 'C:\Users\user\Desktop\Payment Advice.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Advice.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Users\user\Desktop\Payment Advice.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Advice.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: Payment Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\Payment Advice.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Payment Advice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msiexec.pdb source: Payment Advice.exe, 00000001.00000002.288239258.00000000010E0000.00000040.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: Payment Advice.exe, 00000001.00000002.288239258.00000000010E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Payment Advice.exe, 00000001.00000002.288638456.000000000123F000.00000040.00000001.sdmp, msiexec.exe, 00000008.00000002.506494084.0000000004D6F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Payment Advice.exe, 00000001.00000002.288638456.000000000123F000.00000040.00000001.sdmp, msiexec.exe
          Source: Binary string: mscorrc.pdb source: Payment Advice.exe, 00000000.00000002.251714952.0000000004BE0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Payment Advice.exe, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Payment Advice.exe.260000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Payment Advice.exe.260000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.Payment Advice.exe.5c0000.1.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.Payment Advice.exe.5c0000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_049707FA push ebx; retf 0_2_04970803
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_049707EE push ebx; retf 0_2_049707F9
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041BA09 push esi; iretd 1_2_0041BA0E
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0040E339 push ebp; retf 1_2_0040E33A
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041E406 push es; ret 1_2_0041E407
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041CEB5 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041CF6C push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041CF02 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0041CF0B push eax; ret 1_2_0041CF72
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CCD0D1 push ecx; ret 8_2_04CCD0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D0BA09 push esi; iretd 8_2_02D0BA0E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D0DBFE push eax; ret 8_2_02D0DBFF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02CFE339 push ebp; retf 8_2_02CFE33A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D0CEB5 push eax; ret 8_2_02D0CF08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D0D651 pushad ; retf 8_2_02D0D652
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D0CF6C push eax; ret 8_2_02D0CF72
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D0CF02 push eax; ret 8_2_02D0CF08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D0CF0B push eax; ret 8_2_02D0CF72
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02D0E406 push es; ret 8_2_02D0E407

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE7
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 6344, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Payment Advice.exe, 00000000.00000002.250240537.0000000002932000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Payment Advice.exe, 00000000.00000002.250240537.0000000002932000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Payment Advice.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Payment Advice.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 0000000002CF98E4 second address: 0000000002CF98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 0000000002CF9B5E second address: 0000000002CF9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\Payment Advice.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exe TID: 6348Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exe TID: 6364Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 3052Thread sleep count: 34 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 3052Thread sleep time: -68000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6948Thread sleep time: -70000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.269102400.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.269102400.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000002.516049234.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.269468147.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Payment Advice.exe, 00000000.00000002.250240537.0000000002932000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000002.00000000.269468147.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: Payment Advice.exe, 00000000.00000002.250240537.0000000002932000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Payment Advice.exe, 00000000.00000002.250240537.0000000002932000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.261106039.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.269259425.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000002.00000000.269468147.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: Payment Advice.exe, 00000000.00000002.250240537.0000000002932000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000002.00000000.269259425.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000002.517421806.00000000069DE000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: Payment Advice.exe, 00000000.00000002.250240537.0000000002932000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000002.516049234.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000002.516049234.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Payment Advice.exe, 00000000.00000002.250240537.0000000002932000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Payment Advice.exe, 00000000.00000002.250240537.0000000002932000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Payment Advice.exe, 00000000.00000002.250240537.0000000002932000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000002.00000002.516049234.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging:

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_00B1A172 CheckRemoteDebuggerPresent,0_2_00B1A172
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 1_2_0040ACD0 LdrLoadDll,1_2_0040ACD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D0B8D0 mov eax, dword ptr fs:[00000030h]8_2_04D0B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D0B8D0 mov ecx, dword ptr fs:[00000030h]8_2_04D0B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D0B8D0 mov eax, dword ptr fs:[00000030h]8_2_04D0B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D0B8D0 mov eax, dword ptr fs:[00000030h]8_2_04D0B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D0B8D0 mov eax, dword ptr fs:[00000030h]8_2_04D0B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D0B8D0 mov eax, dword ptr fs:[00000030h]8_2_04D0B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D48CD6 mov eax, dword ptr fs:[00000030h]8_2_04D48CD6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D314FB mov eax, dword ptr fs:[00000030h]8_2_04D314FB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C79080 mov eax, dword ptr fs:[00000030h]8_2_04C79080
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CF3884 mov eax, dword ptr fs:[00000030h]8_2_04CF3884
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CF3884 mov eax, dword ptr fs:[00000030h]8_2_04CF3884
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CB90AF mov eax, dword ptr fs:[00000030h]8_2_04CB90AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CAF0BF mov ecx, dword ptr fs:[00000030h]8_2_04CAF0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CAF0BF mov eax, dword ptr fs:[00000030h]8_2_04CAF0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CAF0BF mov eax, dword ptr fs:[00000030h]8_2_04CAF0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D0C450 mov eax, dword ptr fs:[00000030h]8_2_04D0C450
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D0C450 mov eax, dword ptr fs:[00000030h]8_2_04D0C450
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C90050 mov eax, dword ptr fs:[00000030h]8_2_04C90050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C90050 mov eax, dword ptr fs:[00000030h]8_2_04C90050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D32073 mov eax, dword ptr fs:[00000030h]8_2_04D32073
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D41074 mov eax, dword ptr fs:[00000030h]8_2_04D41074
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C9746D mov eax, dword ptr fs:[00000030h]8_2_04C9746D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D44015 mov eax, dword ptr fs:[00000030h]8_2_04D44015
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D44015 mov eax, dword ptr fs:[00000030h]8_2_04D44015
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CF6C0A mov eax, dword ptr fs:[00000030h]8_2_04CF6C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CF6C0A mov eax, dword ptr fs:[00000030h]8_2_04CF6C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CF6C0A mov eax, dword ptr fs:[00000030h]8_2_04CF6C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CF6C0A mov eax, dword ptr fs:[00000030h]8_2_04CF6C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D31C06 mov eax, dword ptr fs:[00000030h]8_2_04D31C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CF7016 mov eax, dword ptr fs:[00000030h]8_2_04CF7016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CF7016 mov eax, dword ptr fs:[00000030h]8_2_04CF7016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CF7016 mov eax, dword ptr fs:[00000030h]8_2_04CF7016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D4740D mov eax, dword ptr fs:[00000030h]8_2_04D4740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D4740D mov eax, dword ptr fs:[00000030h]8_2_04D4740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D4740D mov eax, dword ptr fs:[00000030h]8_2_04D4740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C8B02A mov eax, dword ptr fs:[00000030h]8_2_04C8B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C8B02A mov eax, dword ptr fs:[00000030h]8_2_04C8B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C8B02A mov eax, dword ptr fs:[00000030h]8_2_04C8B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C8B02A mov eax, dword ptr fs:[00000030h]8_2_04C8B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04CABC2C mov eax, dword ptr fs:[00000030h]8_2_04CABC2C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04D28DF1 mov eax, dword ptr fs:[00000030h]8_2_04D28DF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C7B1E1 mov eax, dword ptr fs:[00000030h]8_2_04C7B1E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C7B1E1 mov eax, dword ptr fs:[00000030h]8_2_04C7B1E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C7B1E1 mov eax, dword ptr fs:[00000030h]8_2_04C7B1E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C9C182 mov eax, dword ptr fs:[00000030h]8_2_04C9C182
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C72D8A mov eax, dword ptr fs:[00000030h]8_2_04C72D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04C72D8A mov eax, dword ptr fs:[00000030h]8_2_04C72D8A