Loading ...

Play interactive tourEdit tour

Analysis Report Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Overview

General Information

Sample Name:Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Analysis ID:356535
MD5:5f1c9c4a7bc24c3d39a5a3834ba7bb8e
SHA1:0e9a21a75675c636438f50d90bb5f7ec9a689275
SHA256:5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment Transfer Copy of $274,876.00 for the invoice shipments.exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe' MD5: 5F1C9C4A7BC24C3D39A5A3834BA7BB8E)
    • Payment Transfer Copy of $274,876.00 for the invoice shipments.exe (PID: 6840 cmdline: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe MD5: 5F1C9C4A7BC24C3D39A5A3834BA7BB8E)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 6224 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 4188 cmdline: /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.jaemagreci.com/blr/"], "decoy": ["cvmjqcid.com", "cubskw.com", "carbeloy.com", "lucascolterneal.com", "robertlainstrom.com", "long9000.com", "drtconseils.com", "keptus.com", "mediamonkeyhouse.com", "outletmihotel.com", "exchangemailboxrepair.com", "kanaai.com", "mountshastajerky.com", "thepettybox.com", "sweetpopntreatz.com", "wpweasel.com", "plumbersinauckland.com", "sevdaduragi.com", "gesunde-ordnung.com", "10751wilshire801.com", "brandmkttx.net", "yoshiyama-potager.com", "na230.com", "kittyninja.net", "eurythmy.net", "circlecitydesign.com", "thesleepinn.com", "olgadalila.com", "happyaiper.com", "supplierdurian.site", "simplymcs.com", "ug-storecards.com", "gannahealing.com", "ginamoney.com", "emilyadkinsonrealtor.com", "tablatiffin.com", "laughinggrassfarm.com", "thebriartowns.com", "youplus.website", "soheilvaseghi.com", "prodhealth.site", "bltck.com", "zomapa.com", "hcssgy.com", "simplyloveoccasions.com", "mdglitzallstars.com", "rck.xyz", "stanchilo.com", "avadl.pro", "astursuites.com", "whowetrust.com", "easpipe.com", "ortopediagalvao.com", "wellhealt.com", "destinyhouseacton.com", "lazyturtletikibar.com", "online-verifieren.net", "jasa-software.com", "tenager365.com", "atgiven.icu", "recette-originale.com", "danielleandnic.com", "kathrynbaierling.com", "emmaxbellecandleco.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x13b3b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13b632:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x1679d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x167c52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x147155:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x173775:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x146c41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x173261:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147257:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x173877:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1473cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x1739ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x13c04a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x16866a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x145ebc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x1724dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x13cd43:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x169363:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x14cdf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x179417:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x14ddfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.jaemagreci.com/blr/"], "decoy": ["cvmjqcid.com", "cubskw.com", "carbeloy.com", "lucascolterneal.com", "robertlainstrom.com", "long9000.com", "drtconseils.com", "keptus.com", "mediamonkeyhouse.com", "outletmihotel.com", "exchangemailboxrepair.com", "kanaai.com", "mountshastajerky.com", "thepettybox.com", "sweetpopntreatz.com", "wpweasel.com", "plumbersinauckland.com", "sevdaduragi.com", "gesunde-ordnung.com", "10751wilshire801.com", "brandmkttx.net", "yoshiyama-potager.com", "na230.com", "kittyninja.net", "eurythmy.net", "circlecitydesign.com", "thesleepinn.com", "olgadalila.com", "happyaiper.com", "supplierdurian.site", "simplymcs.com", "ug-storecards.com", "gannahealing.com", "ginamoney.com", "emilyadkinsonrealtor.com", "tablatiffin.com", "laughinggrassfarm.com", "thebriartowns.com", "youplus.website", "soheilvaseghi.com", "prodhealth.site", "bltck.com", "zomapa.com", "hcssgy.com", "simplyloveoccasions.com", "mdglitzallstars.com", "rck.xyz", "stanchilo.com", "avadl.pro", "astursuites.com", "whowetrust.com", "easpipe.com", "ortopediagalvao.com", "wellhealt.com", "destinyhouseacton.com", "lazyturtletikibar.com", "online-verifieren.net", "jasa-software.com", "tenager365.com", "atgiven.icu", "recette-originale.com", "danielleandnic.com", "kathrynbaierling.com", "emmaxbellecandleco.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeVirustotal: Detection: 25%Perma Link
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeJoe Sandbox ML: detected
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: explorer.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275056959.00000000010DF000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, explorer.exe
          Source: Binary string: explorer.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4x nop then pop edi4_2_0040E3A2
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4x nop then pop edi4_2_0040E44A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi9_2_0309E3A2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi9_2_0309E44A

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.jaemagreci.com/blr/
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.kanaai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.cvmjqcid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.jaemagreci.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.sweetpopntreatz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.long9000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.soheilvaseghi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.gannahealing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.olgadalila.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.zomapa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 35.246.6.109 35.246.6.109
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: IDCFIDCFrontierIncJP IDCFIDCFrontierIncJP
          Source: Joe Sandbox ViewASN Name: MULTA-ASN1US MULTA-ASN1US
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.kanaai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.cvmjqcid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.jaemagreci.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.sweetpopntreatz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.long9000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.soheilvaseghi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.gannahealing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.olgadalila.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.zomapa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.kanaai.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 08:44:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a
          Source: explorer.exe, 00000005.00000002.754895939.0000000004E61000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.carbeloy.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.carbeloy.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.carbeloy.com/blr/www.prodhealth.site
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.carbeloy.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.cvmjqcid.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.cvmjqcid.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.cvmjqcid.com/blr/www.jaemagreci.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.cvmjqcid.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.gannahealing.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.gannahealing.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.gannahealing.com/blr/www.olgadalila.com
          Source: explorer.exe, 00000009.00000002.748643610.000000000561F000.00000004.00000001.sdmpString found in binary or memory: http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ix
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.gannahealing.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jaemagreci.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jaemagreci.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jaemagreci.com/blr/www.sweetpopntreatz.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jaemagreci.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jasa-software.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jasa-software.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jasa-software.com/blr/j
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jasa-software.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kanaai.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kanaai.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kanaai.com/blr/www.cvmjqcid.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kanaai.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kathrynbaierling.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kathrynbaierling.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kathrynbaierling.com/blr/www.na230.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kathrynbaierling.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.long9000.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.long9000.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.long9000.com/blr/www.soheilvaseghi.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.long9000.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.na230.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.na230.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.na230.com/blr/www.jasa-software.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.na230.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.olgadalila.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.olgadalila.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.olgadalila.com/blr/www.zomapa.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.olgadalila.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.prodhealth.site
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.prodhealth.site/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.prodhealth.site/blr/www.stanchilo.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.prodhealth.siteReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.soheilvaseghi.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.soheilvaseghi.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.soheilvaseghi.com/blr/www.gannahealing.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.soheilvaseghi.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.stanchilo.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.stanchilo.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.stanchilo.com/blr/www.yoshiyama-potager.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.stanchilo.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.sweetpopntreatz.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.sweetpopntreatz.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.sweetpopntreatz.com/blr/www.long9000.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.sweetpopntreatz.comReferer:
          Source: explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.yoshiyama-potager.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.yoshiyama-potager.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.yoshiyama-potager.com/blr/www.kathrynbaierling.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.yoshiyama-potager.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.zomapa.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.zomapa.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.zomapa.com/blr/www.carbeloy.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.zomapa.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237111867.0000000000DEB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, LogIn.csLong String: Length: 13656
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 0.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 4.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.1.unpack, LogIn.csLong String: Length: 13656
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419D60 NtCreateFile,4_2_00419D60
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419E10 NtReadFile,4_2_00419E10
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419E90 NtClose,4_2_00419E90
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419F40 NtAllocateVirtualMemory,4_2_00419F40
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419E8C NtClose,4_2_00419E8C
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419F3A NtAllocateVirtualMemory,4_2_00419F3A
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_01029910
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010299A0 NtCreateSection,LdrInitializeThunk,4_2_010299A0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029840 NtDelayExecution,LdrInitializeThunk,4_2_01029840
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029860 NtQuerySystemInformation,LdrInitializeThunk,4_2_01029860
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_010298F0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_01029A00
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029A20 NtResumeThread,LdrInitializeThunk,4_2_01029A20
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029A50 NtCreateFile,LdrInitializeThunk,4_2_01029A50
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029540 NtReadFile,LdrInitializeThunk,4_2_01029540
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010295D0 NtClose,LdrInitializeThunk,4_2_010295D0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029710 NtQueryInformationToken,LdrInitializeThunk,4_2_01029710
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029780 NtMapViewOfSection,LdrInitializeThunk,4_2_01029780
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_010297A0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_01029660
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_010296E0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029950 NtQueueApcThread,4_2_01029950
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010299D0 NtCreateProcessEx,4_2_010299D0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029820 NtEnumerateKey,4_2_01029820
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102B040 NtSuspendThread,4_2_0102B040
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010298A0 NtWriteVirtualMemory,4_2_010298A0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029B00 NtSetValueKey,4_2_01029B00
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102A3B0 NtGetContextThread,4_2_0102A3B0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029A10 NtQuerySection,4_2_01029A10
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029A80 NtOpenDirectoryObject,4_2_01029A80
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029520 NtWaitForSingleObject,4_2_01029520
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102AD30 NtSetContextThread,4_2_0102AD30
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029560 NtWriteFile,4_2_01029560
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010295F0 NtQueryInformationFile,4_2_010295F0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102A710 NtOpenProcessToken,4_2_0102A710
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029730 NtQueryVirtualMemory,4_2_01029730
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029760 NtOpenProcess,4_2_01029760
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029770 NtSetInformationFile,4_2_01029770
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102A770 NtOpenThread,4_2_0102A770
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029FE0 NtCreateMutant,4_2_01029FE0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029610 NtEnumerateValueKey,4_2_01029610
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029650 NtQueryValueKey,4_2_01029650
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029670 NtQueryInformationProcess,4_2_01029670
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010296D0 NtCreateKey,4_2_010296D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C695D0 NtClose,LdrInitializeThunk,9_2_04C695D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69540 NtReadFile,LdrInitializeThunk,9_2_04C69540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C696D0 NtCreateKey,LdrInitializeThunk,9_2_04C696D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C696E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_04C696E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69650 NtQueryValueKey,LdrInitializeThunk,9_2_04C69650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_04C69660
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69FE0 NtCreateMutant,LdrInitializeThunk,9_2_04C69FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69780 NtMapViewOfSection,LdrInitializeThunk,9_2_04C69780
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69710 NtQueryInformationToken,LdrInitializeThunk,9_2_04C69710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69840 NtDelayExecution,LdrInitializeThunk,9_2_04C69840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69860 NtQuerySystemInformation,LdrInitializeThunk,9_2_04C69860
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C699A0 NtCreateSection,LdrInitializeThunk,9_2_04C699A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_04C69910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69A50 NtCreateFile,LdrInitializeThunk,9_2_04C69A50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C695F0 NtQueryInformationFile,9_2_04C695F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69560 NtWriteFile,9_2_04C69560
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69520 NtWaitForSingleObject,9_2_04C69520
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6AD30 NtSetContextThread,9_2_04C6AD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69670 NtQueryInformationProcess,9_2_04C69670
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69610 NtEnumerateValueKey,9_2_04C69610
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C697A0 NtUnmapViewOfSection,9_2_04C697A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69760 NtOpenProcess,9_2_04C69760
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6A770 NtOpenThread,9_2_04C6A770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69770 NtSetInformationFile,9_2_04C69770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6A710 NtOpenProcessToken,9_2_04C6A710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69730 NtQueryVirtualMemory,9_2_04C69730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C698F0 NtReadVirtualMemory,9_2_04C698F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C698A0 NtWriteVirtualMemory,9_2_04C698A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6B040 NtSuspendThread,9_2_04C6B040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69820 NtEnumerateKey,9_2_04C69820
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C699D0 NtCreateProcessEx,9_2_04C699D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69950 NtQueueApcThread,9_2_04C69950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69A80 NtOpenDirectoryObject,9_2_04C69A80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69A00 NtProtectVirtualMemory,9_2_04C69A00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69A10 NtQuerySection,9_2_04C69A10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69A20 NtResumeThread,9_2_04C69A20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6A3B0 NtGetContextThread,9_2_04C6A3B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69B00 NtSetValueKey,9_2_04C69B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9F40 NtAllocateVirtualMemory,9_2_030A9F40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9E10 NtReadFile,9_2_030A9E10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9E90 NtClose,9_2_030A9E90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9D60 NtCreateFile,9_2_030A9D60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9F3A NtAllocateVirtualMemory,9_2_030A9F3A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9E8C NtClose,9_2_030A9E8C
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 0_2_028DC2B00_2_028DC2B0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 0_2_028D99900_2_028D9990
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0040102F4_2_0040102F
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041D1464_2_0041D146
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0040117A4_2_0040117A
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041E2294_2_0041E229
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041D4D64_2_0041D4D6
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00409E404_2_00409E40
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041D6254_2_0041D625
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00409E3C4_2_00409E3C
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041D73F4_2_0041D73F
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010041204_2_01004120
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFB0904_2_00FFB090
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A10024_2_010A1002
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010120A04_2_010120A0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B20A84_2_010B20A8
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEF9004_2_00FEF900
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B2B284_2_010B2B28
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101EBB04_2_0101EBB0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B22AE4_2_010B22AE
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B2D074_2_010B2D07
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B1D554_2_010B1D55
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010125814_2_01012581
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF841F4_2_00FF841F
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFD5E04_2_00FFD5E0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE0D204_2_00FE0D20
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B1FF14_2_010B1FF1
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01006E304_2_01006E30
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B2EF74_2_010B2EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CED4669_2_04CED466
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3841F9_2_04C3841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF25DD9_2_04CF25DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3D5E09_2_04C3D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C525819_2_04C52581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF1D559_2_04CF1D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF2D079_2_04CF2D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C20D209_2_04C20D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF2EF79_2_04CF2EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CED6169_2_04CED616
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C46E309_2_04C46E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF1FF19_2_04CF1FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF28EC9_2_04CF28EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3B0909_2_04C3B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C520A09_2_04C520A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF20A89_2_04CF20A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE10029_2_04CE1002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2F9009_2_04C2F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C441209_2_04C44120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF22AE9_2_04CF22AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CEDBD29_2_04CEDBD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5EBB09_2_04C5EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF2B289_2_04CF2B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030AE2299_2_030AE229
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030AD1469_2_030AD146
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03092FB09_2_03092FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030AD6259_2_030AD625
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03099E3C9_2_03099E3C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03099E409_2_03099E40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03092D909_2_03092D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030AD4D69_2_030AD4D6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04C2B150 appears 35 times
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: String function: 00FEB150 appears 35 times
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237111867.0000000000DEB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.236125503.00000000006C1000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.243377494.0000000008A10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.243638026.0000000008BE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.274332960.0000000000581000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275294499.000000000126F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.276581329.0000000002ECE000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeBinary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.cs