Analysis Report Payment_png.exe

Overview

General Information

Sample Name: Payment_png.exe
Analysis ID: 377352
MD5: 86fa26e33879d3c04152301eaaaba518
SHA1: 3c75755b8efe897bb18ea99f6014dabd5492d32c
SHA256: eacf1b7b8d612e5a500f79a03b06f9fb919768a1fb053ce3522f3288c36067f4
Tags: GuLoader
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.booksfall.com/c8bs/"], "decoy": ["dreamwrldrp.com", "epkshu.com", "accinf5.com", "karadenizturk.com", "pcpartout.com", "kuwoopi.com", "gtaqcf.com", "lambofgodprinting.com", "vinelytv.com", "domennyarendi39.net", "broskiusa.com", "bombiepalaboy.com", "plowbrothers.com", "domentemenegi42.net", "jfhousebuyers.com", "birkenhof-allgaeu.net", "quantify-co.com", "bitoko.net", "choupisson.com", "bostonm.info", "wojkowski.com", "themersy.com", "structuredmen.net", "jadaccaentertainment.com", "strategyplace.net", "kadyshopping.com", "bookhangovers.com", "peopleskillschallenge.com", "sturestaypluspdx.com", "nxywsy.com", "citestaccnt1598622913.com", "bestmodestorestaurants.com", "thebabyfriendly.com", "aainakari.com", "cookklip.com", "8bitupgrades.com", "smartintegrityplatform.com", "silverdollarcafe.com", "obleaslaoriginal.com", "csfeliz.com", "selfmadepartners.com", "djmacktruck.com", "madefaz.net", "55zhidian.com", "slutefuter.com", "enternet360.com", "autoandtruckpartsincoh.com", "loversdeal.com", "windorians.com", "skinsbag.com", "indounace-maisounce.com", "atxrealestateforsale.com", "lotdco.com", "littlewanda.com", "epc-scot.com", "thesaltybookkeeper.com", "neebcoteam.com", "uforservice.com", "cashcanbeyours.com", "bondar.design", "rwpgoyiof.club", "mindfulreadings.com", "dhadaka.com", "aartihand.com"]}
Multi AV Scanner detection for submitted file
Source: Payment_png.exe Virustotal: Detection: 70% Perma Link
Source: Payment_png.exe Metadefender: Detection: 19% Perma Link
Source: Payment_png.exe ReversingLabs: Detection: 79%
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 14.2.colorcpl.exe.30327b8.2.unpack Avira: Label: TR/Dropper.Gen
Source: 14.2.colorcpl.exe.5117960.5.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Payment_png.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 170.249.199.106:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: Binary string: colorcpl.pdbGCTL source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
Source: Binary string: colorcpl.pdb source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Payment_png.exe, 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Payment_png.exe, colorcpl.exe
Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.booksfall.com/c8bs/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.plowbrothers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.loversdeal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.pcpartout.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.birkenhof-allgaeu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.choupisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.uforservice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.silverdollarcafe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.218 198.54.117.218
Source: Joe Sandbox View IP Address: 23.227.38.32 23.227.38.32
Source: Joe Sandbox View IP Address: 23.227.38.32 23.227.38.32
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View ASN Name: BIZLAND-SDUS BIZLAND-SDUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aps-mm.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.aps-mm.comConnection: Keep-Alive
Source: C:\Windows\explorer.exe Code function: 6_2_0613D302 getaddrinfo,setsockopt,recv, 6_2_0613D302
Source: global traffic HTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aps-mm.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.aps-mm.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.plowbrothers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.loversdeal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.pcpartout.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.birkenhof-allgaeu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.choupisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.uforservice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.silverdollarcafe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: aps-mm.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 29 Mar 2021 11:59:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: Payment_png.exe, 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp String found in binary or memory: http://aps-mm.com/bin_BNUtTDfY243.bin
Source: explorer.exe, 00000006.00000000.294226634.000000000F740000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.aainakari.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.aainakari.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.aainakari.com/c8bs/www.bostonm.info
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.aainakari.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.accinf5.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.accinf5.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.accinf5.com/c8bs/www.silverdollarcafe.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.accinf5.comReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.birkenhof-allgaeu.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.birkenhof-allgaeu.net/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.birkenhof-allgaeu.net/c8bs/www.choupisson.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.birkenhof-allgaeu.netReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.booksfall.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.booksfall.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.booksfall.com/c8bs/www.pcpartout.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.booksfall.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.bostonm.info
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.bostonm.info/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.bostonm.info/c8bs/www.quantify-co.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.bostonm.infoReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.broskiusa.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.broskiusa.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.broskiusa.com/c8bs/www.aainakari.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.broskiusa.comReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.choupisson.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.choupisson.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.choupisson.com/c8bs/www.uforservice.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.choupisson.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.domennyarendi39.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.domennyarendi39.net/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.domennyarendi39.net/c8bs/www.accinf5.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.domennyarendi39.netReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.domentemenegi42.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.domentemenegi42.net/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.domentemenegi42.net/c8bs/www.broskiusa.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.domentemenegi42.netReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.loversdeal.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.loversdeal.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.loversdeal.com/c8bs/www.booksfall.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.loversdeal.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.pcpartout.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.pcpartout.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.pcpartout.com/c8bs/www.birkenhof-allgaeu.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.pcpartout.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.plowbrothers.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.plowbrothers.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.plowbrothers.com/c8bs/www.slutefuter.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.plowbrothers.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.quantify-co.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.quantify-co.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.quantify-co.com/c8bs/M
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.quantify-co.comReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.silverdollarcafe.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.silverdollarcafe.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.silverdollarcafe.com/c8bs/www.domentemenegi42.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.silverdollarcafe.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.slutefuter.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.slutefuter.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.slutefuter.com/c8bs/www.loversdeal.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.slutefuter.comReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.uforservice.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.uforservice.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.uforservice.com/c8bs/www.domennyarendi39.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://www.uforservice.comReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown HTTPS traffic detected: 170.249.199.106:443 -> 192.168.2.3:49714 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Windows\explorer.exe Code function: 6_2_06136EB2 OpenClipboard, 6_2_06136EB2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Executable has a suspicious name (potential lure to open the executable)
Source: Payment_png.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment_png.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Payment_png.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02220438 EnumWindows,NtSetInformationThread, 0_2_02220438
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02224EE8 NtProtectVirtualMemory, 0_2_02224EE8
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02225331 NtMapViewOfSection, 0_2_02225331
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02220F83 NtWriteVirtualMemory,LoadLibraryA, 0_2_02220F83
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02222992 NtSetInformationThread, 0_2_02222992
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02221E27 NtWriteVirtualMemory, 0_2_02221E27
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_0222542F NtMapViewOfSection, 0_2_0222542F
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02222033 NtWriteVirtualMemory, 0_2_02222033
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_022220A1 NtWriteVirtualMemory, 0_2_022220A1
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_022204AF NtSetInformationThread, 0_2_022204AF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02221AB4 NtWriteVirtualMemory, 0_2_02221AB4
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02221E81 NtWriteVirtualMemory, 0_2_02221E81
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_022254F5 NtMapViewOfSection, 0_2_022254F5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_022254CB NtMapViewOfSection, 0_2_022254CB
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_022204D5 NtSetInformationThread, 0_2_022204D5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02221F21 NtWriteVirtualMemory, 0_2_02221F21
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02225338 NtMapViewOfSection, 0_2_02225338
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02225301 NtMapViewOfSection, 0_2_02225301
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02221369 NtWriteVirtualMemory, 0_2_02221369
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02225544 NtMapViewOfSection, 0_2_02225544
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_022253B4 NtMapViewOfSection, 0_2_022253B4
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02222183 NtWriteVirtualMemory, 0_2_02222183
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02225380 NtMapViewOfSection, 0_2_02225380
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02221986 NtSetInformationThread,NtWriteVirtualMemory, 0_2_02221986
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02221F93 NtWriteVirtualMemory, 0_2_02221F93
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02221DEB NtWriteVirtualMemory, 0_2_02221DEB
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_022253EF NtMapViewOfSection, 0_2_022253EF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_1E3E9660
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_1E3E96E0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk, 2_2_1E3E9710
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_1E3E97A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk, 2_2_1E3E9780
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9FE0 NtCreateMutant,LdrInitializeThunk, 2_2_1E3E9FE0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9540 NtReadFile,LdrInitializeThunk, 2_2_1E3E9540
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E95D0 NtClose,LdrInitializeThunk, 2_2_1E3E95D0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9A20 NtResumeThread,LdrInitializeThunk, 2_2_1E3E9A20
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_1E3E9A00
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9A50 NtCreateFile,LdrInitializeThunk, 2_2_1E3E9A50
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_1E3E9860
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9840 NtDelayExecution,LdrInitializeThunk, 2_2_1E3E9840
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_1E3E98F0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_1E3E9910
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E99A0 NtCreateSection,LdrInitializeThunk, 2_2_1E3E99A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9610 NtEnumerateValueKey, 2_2_1E3E9610
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9670 NtQueryInformationProcess, 2_2_1E3E9670
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9650 NtQueryValueKey, 2_2_1E3E9650
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E96D0 NtCreateKey, 2_2_1E3E96D0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9730 NtQueryVirtualMemory, 2_2_1E3E9730
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3EA710 NtOpenProcessToken, 2_2_1E3EA710
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3EA770 NtOpenThread, 2_2_1E3EA770
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9770 NtSetInformationFile, 2_2_1E3E9770
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9760 NtOpenProcess, 2_2_1E3E9760
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3EAD30 NtSetContextThread, 2_2_1E3EAD30
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9520 NtWaitForSingleObject, 2_2_1E3E9520
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9560 NtWriteFile, 2_2_1E3E9560
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E95F0 NtQueryInformationFile, 2_2_1E3E95F0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9A10 NtQuerySection, 2_2_1E3E9A10
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9A80 NtOpenDirectoryObject, 2_2_1E3E9A80
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9B00 NtSetValueKey, 2_2_1E3E9B00
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3EA3B0 NtGetContextThread, 2_2_1E3EA3B0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9820 NtEnumerateKey, 2_2_1E3E9820
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3EB040 NtSuspendThread, 2_2_1E3EB040
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E98A0 NtWriteVirtualMemory, 2_2_1E3E98A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E9950 NtQueueApcThread, 2_2_1E3E9950
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E99D0 NtCreateProcessEx, 2_2_1E3E99D0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00565331 NtSetInformationThread, 2_2_00565331
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00564EE8 NtProtectVirtualMemory, 2_2_00564EE8
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00565301 NtSetInformationThread, 2_2_00565301
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00565338 NtSetInformationThread, 2_2_00565338
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_005653EF NtSetInformationThread, 2_2_005653EF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00565380 NtSetInformationThread, 2_2_00565380
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_005653B4 NtSetInformationThread, 2_2_005653B4
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_0056542F NtSetInformationThread, 2_2_0056542F
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_005654CB NtSetInformationThread, 2_2_005654CB
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_005654F5 NtSetInformationThread, 2_2_005654F5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00565544 NtSetInformationThread, 2_2_00565544
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C495D0 NtClose,LdrInitializeThunk, 14_2_04C495D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49540 NtReadFile,LdrInitializeThunk, 14_2_04C49540
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C496D0 NtCreateKey,LdrInitializeThunk, 14_2_04C496D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C496E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_04C496E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49650 NtQueryValueKey,LdrInitializeThunk, 14_2_04C49650
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_04C49660
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49FE0 NtCreateMutant,LdrInitializeThunk, 14_2_04C49FE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49780 NtMapViewOfSection,LdrInitializeThunk, 14_2_04C49780
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49710 NtQueryInformationToken,LdrInitializeThunk, 14_2_04C49710
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49840 NtDelayExecution,LdrInitializeThunk, 14_2_04C49840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_04C49860
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C499A0 NtCreateSection,LdrInitializeThunk, 14_2_04C499A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_04C49910
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49A50 NtCreateFile,LdrInitializeThunk, 14_2_04C49A50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C495F0 NtQueryInformationFile, 14_2_04C495F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49560 NtWriteFile, 14_2_04C49560
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49520 NtWaitForSingleObject, 14_2_04C49520
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C4AD30 NtSetContextThread, 14_2_04C4AD30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49670 NtQueryInformationProcess, 14_2_04C49670
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49610 NtEnumerateValueKey, 14_2_04C49610
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C497A0 NtUnmapViewOfSection, 14_2_04C497A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49760 NtOpenProcess, 14_2_04C49760
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C4A770 NtOpenThread, 14_2_04C4A770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49770 NtSetInformationFile, 14_2_04C49770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C4A710 NtOpenProcessToken, 14_2_04C4A710
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49730 NtQueryVirtualMemory, 14_2_04C49730
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C498F0 NtReadVirtualMemory, 14_2_04C498F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C498A0 NtWriteVirtualMemory, 14_2_04C498A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C4B040 NtSuspendThread, 14_2_04C4B040
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49820 NtEnumerateKey, 14_2_04C49820
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C499D0 NtCreateProcessEx, 14_2_04C499D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49950 NtQueueApcThread, 14_2_04C49950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49A80 NtOpenDirectoryObject, 14_2_04C49A80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49A00 NtProtectVirtualMemory, 14_2_04C49A00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49A10 NtQuerySection, 14_2_04C49A10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49A20 NtResumeThread, 14_2_04C49A20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C4A3B0 NtGetContextThread, 14_2_04C4A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C49B00 NtSetValueKey, 14_2_04C49B00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_009681C0 NtCreateFile, 14_2_009681C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_009682F0 NtClose, 14_2_009682F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_00968270 NtReadFile, 14_2_00968270
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_009683A0 NtAllocateVirtualMemory, 14_2_009683A0
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C6E30 2_2_1E3C6E30
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46D616 2_2_1E46D616
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E472EF7 2_2_1E472EF7
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E47DFCE 2_2_1E47DFCE
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E471FF1 2_2_1E471FF1
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46D466 2_2_1E46D466
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B841F 2_2_1E3B841F
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E471D55 2_2_1E471D55
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A0D20 2_2_1E3A0D20
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E472D07 2_2_1E472D07
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4725DD 2_2_1E4725DD
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D2581 2_2_1E3D2581
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E462D82 2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BD5E0 2_2_1E3BD5E0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E45FA2B 2_2_1E45FA2B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4722AE 2_2_1E4722AE
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E44CB4F 2_2_1E44CB4F
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E472B28 2_2_1E472B28
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CAB40 2_2_1E3CAB40
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DEBB0 2_2_1E3DEBB0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46DBD2 2_2_1E46DBD2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4603DA 2_2_1E4603DA
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4523E3 2_2_1E4523E3
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D138B 2_2_1E3D138B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DABD8 2_2_1E3DABD8
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA830 2_2_1E3CA830
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461002 2_2_1E461002
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E47E824 2_2_1E47E824
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D20A0 2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BB090 2_2_1E3BB090
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4728EC 2_2_1E4728EC
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4720A8 2_2_1E4720A8
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C4120 2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AF900 2_2_1E3AF900
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF 2_2_1E3C99BF
Source: C:\Windows\explorer.exe Code function: 6_2_0613A062 6_2_0613A062
Source: C:\Windows\explorer.exe Code function: 6_2_061358F9 6_2_061358F9
Source: C:\Windows\explorer.exe Code function: 6_2_061382FF 6_2_061382FF
Source: C:\Windows\explorer.exe Code function: 6_2_06135902 6_2_06135902
Source: C:\Windows\explorer.exe Code function: 6_2_06138302 6_2_06138302
Source: C:\Windows\explorer.exe Code function: 6_2_06136362 6_2_06136362
Source: C:\Windows\explorer.exe Code function: 6_2_0613C5B2 6_2_0613C5B2
Source: C:\Windows\explorer.exe Code function: 6_2_0613B7C7 6_2_0613B7C7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CCD466 14_2_04CCD466
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C1841F 14_2_04C1841F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD25DD 14_2_04CD25DD
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C1D5E0 14_2_04C1D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C32581 14_2_04C32581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC2D82 14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD1D55 14_2_04CD1D55
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD2D07 14_2_04CD2D07
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C00D20 14_2_04C00D20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD2EF7 14_2_04CD2EF7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CCD616 14_2_04CCD616
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C26E30 14_2_04C26E30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CDDFCE 14_2_04CDDFCE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD1FF1 14_2_04CD1FF1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD28EC 14_2_04CD28EC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C1B090 14_2_04C1B090
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C320A0 14_2_04C320A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD20A8 14_2_04CD20A8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1002 14_2_04CC1002
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CDE824 14_2_04CDE824
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2A830 14_2_04C2A830
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C299BF 14_2_04C299BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C0F900 14_2_04C0F900
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C24120 14_2_04C24120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4AEF 14_2_04CC4AEF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD22AE 14_2_04CD22AE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CBFA2B 14_2_04CBFA2B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B236 14_2_04C2B236
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC03DA 14_2_04CC03DA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3ABD8 14_2_04C3ABD8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CCDBD2 14_2_04CCDBD2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CB23E3 14_2_04CB23E3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3138B 14_2_04C3138B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3EBB0 14_2_04C3EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2AB40 14_2_04C2AB40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CACB4F 14_2_04CACB4F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2A309 14_2_04C2A309
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD2B28 14_2_04CD2B28
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_00958C5B 14_2_00958C5B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_00958C60 14_2_00958C60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_00952D90 14_2_00952D90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_00952D8F 14_2_00952D8F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_00952FB0 14_2_00952FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Payment_png.exe Code function: String function: 1E3AB150 appears 136 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04C0B150 appears 136 times
PE file contains strange resources
Source: Payment_png.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Payment_png.exe, 00000000.00000000.200466328.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
Source: Payment_png.exe, 00000002.00000002.313895649.000000001DC50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Payment_png.exe
Source: Payment_png.exe, 00000002.00000002.313927300.000000001DEF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Payment_png.exe
Source: Payment_png.exe, 00000002.00000002.305998798.00000000000B3000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamecolorcpl.exej% vs Payment_png.exe
Source: Payment_png.exe, 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Payment_png.exe
Source: Payment_png.exe, 00000002.00000000.245916312.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
Source: Payment_png.exe Binary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
Uses 32bit PE files
Source: Payment_png.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/0@13/7
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_01
Source: C:\Users\user\Desktop\Payment_png.exe File created: C:\Users\user\AppData\Local\Temp\~DF404ACC61CD765358.TMP Jump to behavior
Source: Payment_png.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment_png.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Payment_png.exe Virustotal: Detection: 70%
Source: Payment_png.exe Metadefender: Detection: 19%
Source: Payment_png.exe ReversingLabs: Detection: 79%
Source: unknown Process created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'
Source: C:\Users\user\Desktop\Payment_png.exe Process created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_png.exe Process created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe' Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: colorcpl.pdbGCTL source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
Source: Binary string: colorcpl.pdb source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Payment_png.exe, 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Payment_png.exe, colorcpl.exe
Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: Payment_png.exe PID: 3112, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_png.exe PID: 6076, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Payment_png.exe PID: 3112, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_png.exe PID: 6076, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_00408843 push esp; iretd 0_2_0040886A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_00405E7A push esp; iretd 0_2_00405E8E
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_004050B4 push esp; iretd 0_2_004050B6
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_00408944 push esp; iretd 0_2_0040896E
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3FD0D1 push ecx; ret 2_2_1E3FD0E4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C5D0D1 push ecx; ret 14_2_04C5D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_00960109 push ss; ret 14_2_0096010A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_00965268 push esp; iretd 14_2_0096526C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0096B3B5 push eax; ret 14_2_0096B408
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0096B402 push eax; ret 14_2_0096B408
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0096B40B push eax; ret 14_2_0096B472
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0096B46C push eax; ret 14_2_0096B472
Source: C:\Users\user\Desktop\Payment_png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02222C06 0_2_02222C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00562C06 2_2_00562C06
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 00000000022201BA second address: 00000000022201BA instructions:
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 0000000002224607 second address: 0000000002224607 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FEA74E07F08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007FEA74E07EECh 0x0000002e call 00007FEA74E07F77h 0x00000033 call 00007FEA74E07F18h 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 0000000002222CE8 second address: 0000000002222CE8 instructions:
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 0000000002222DFA second address: 0000000002222DFA instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\Payment_png.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Payment_png.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 00000000022201BA second address: 00000000022201BA instructions:
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 0000000002224607 second address: 0000000002224607 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FEA74E07F08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007FEA74E07EECh 0x0000002e call 00007FEA74E07F77h 0x00000033 call 00007FEA74E07F18h 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 0000000002224627 second address: 0000000002224627 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FEA74DAB2BFh 0x0000001d popad 0x0000001e call 00007FEA74DAAF98h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 00000000022244B4 second address: 0000000002224627 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add dword ptr [ebp+0000009Ch], 01h 0x0000000a add edi, edx 0x0000000c dec ecx 0x0000000d test ebx, 6012DFB5h 0x00000013 cmp ecx, 00000000h 0x00000016 jne 00007FEA74E07EA8h 0x00000018 push ecx 0x00000019 call 00007FEA74E07FB1h 0x0000001e call 00007FEA74E08000h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 0000000002222CE8 second address: 0000000002222CE8 instructions:
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 0000000002222DFA second address: 0000000002222DFA instructions:
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 0000000000564627 second address: 0000000000564627 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FEA74DAB2BFh 0x0000001d popad 0x0000001e call 00007FEA74DAAF98h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 00000000005644B4 second address: 0000000000564627 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add dword ptr [ebp+0000009Ch], 01h 0x0000000a add edi, edx 0x0000000c dec ecx 0x0000000d test ebx, 6012DFB5h 0x00000013 cmp ecx, 00000000h 0x00000016 jne 00007FEA74E07EA8h 0x00000018 push ecx 0x00000019 call 00007FEA74E07FB1h 0x0000001e call 00007FEA74E08000h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 00000000009585E4 second address: 00000000009585EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 000000000095897E second address: 0000000000958984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02220604 rdtsc 0_2_02220604
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3096 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 632 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\colorcpl.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000006.00000000.289998327.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000002.481359451.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.290294461.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Payment_png.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Payment_png.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02220438 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000 0_2_02220438
Hides threads from debuggers
Source: C:\Users\user\Desktop\Payment_png.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Payment_png.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02220604 rdtsc 0_2_02220604
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_022228D0 LdrInitializeThunk, 0_2_022228D0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02222415 mov eax, dword ptr fs:[00000030h] 0_2_02222415
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02224B11 mov eax, dword ptr fs:[00000030h] 0_2_02224B11
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02221369 mov eax, dword ptr fs:[00000030h] 0_2_02221369
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02224377 mov eax, dword ptr fs:[00000030h] 0_2_02224377
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_022219A3 mov eax, dword ptr fs:[00000030h] 0_2_022219A3
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02221986 mov eax, dword ptr fs:[00000030h] 0_2_02221986
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 0_2_02223BE9 mov eax, dword ptr fs:[00000030h] 0_2_02223BE9
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46AE44 mov eax, dword ptr fs:[00000030h] 2_2_1E46AE44
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46AE44 mov eax, dword ptr fs:[00000030h] 2_2_1E46AE44
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AE620 mov eax, dword ptr fs:[00000030h] 2_2_1E3AE620
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DA61C mov eax, dword ptr fs:[00000030h] 2_2_1E3DA61C
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DA61C mov eax, dword ptr fs:[00000030h] 2_2_1E3DA61C
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h] 2_2_1E3AC600
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h] 2_2_1E3AC600
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h] 2_2_1E3AC600
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D8E00 mov eax, dword ptr fs:[00000030h] 2_2_1E3D8E00
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461608 mov eax, dword ptr fs:[00000030h] 2_2_1E461608
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h] 2_2_1E3CAE73
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h] 2_2_1E3CAE73
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h] 2_2_1E3CAE73
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h] 2_2_1E3CAE73
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h] 2_2_1E3CAE73
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B766D mov eax, dword ptr fs:[00000030h] 2_2_1E3B766D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E45FE3F mov eax, dword ptr fs:[00000030h] 2_2_1E45FE3F
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h] 2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h] 2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h] 2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h] 2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h] 2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h] 2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E45FEC0 mov eax, dword ptr fs:[00000030h] 2_2_1E45FEC0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E478ED6 mov eax, dword ptr fs:[00000030h] 2_2_1E478ED6
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43FE87 mov eax, dword ptr fs:[00000030h] 2_2_1E43FE87
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B76E2 mov eax, dword ptr fs:[00000030h] 2_2_1E3B76E2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h] 2_2_1E3D16E0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h] 2_2_1E470EA5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h] 2_2_1E470EA5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h] 2_2_1E470EA5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4246A7 mov eax, dword ptr fs:[00000030h] 2_2_1E4246A7
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D36CC mov eax, dword ptr fs:[00000030h] 2_2_1E3D36CC
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h] 2_2_1E3E8EC7
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB73D mov eax, dword ptr fs:[00000030h] 2_2_1E3CB73D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB73D mov eax, dword ptr fs:[00000030h] 2_2_1E3CB73D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DE730 mov eax, dword ptr fs:[00000030h] 2_2_1E3DE730
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A4F2E mov eax, dword ptr fs:[00000030h] 2_2_1E3A4F2E
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A4F2E mov eax, dword ptr fs:[00000030h] 2_2_1E3A4F2E
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CF716 mov eax, dword ptr fs:[00000030h] 2_2_1E3CF716
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E478F6A mov eax, dword ptr fs:[00000030h] 2_2_1E478F6A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DA70E mov eax, dword ptr fs:[00000030h] 2_2_1E3DA70E
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DA70E mov eax, dword ptr fs:[00000030h] 2_2_1E3DA70E
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E47070D mov eax, dword ptr fs:[00000030h] 2_2_1E47070D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E47070D mov eax, dword ptr fs:[00000030h] 2_2_1E47070D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43FF10 mov eax, dword ptr fs:[00000030h] 2_2_1E43FF10
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43FF10 mov eax, dword ptr fs:[00000030h] 2_2_1E43FF10
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BFF60 mov eax, dword ptr fs:[00000030h] 2_2_1E3BFF60
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BEF40 mov eax, dword ptr fs:[00000030h] 2_2_1E3BEF40
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B8794 mov eax, dword ptr fs:[00000030h] 2_2_1E3B8794
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E37F5 mov eax, dword ptr fs:[00000030h] 2_2_1E3E37F5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h] 2_2_1E427794
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h] 2_2_1E427794
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h] 2_2_1E427794
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DBC2C mov eax, dword ptr fs:[00000030h] 2_2_1E3DBC2C
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43C450 mov eax, dword ptr fs:[00000030h] 2_2_1E43C450
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43C450 mov eax, dword ptr fs:[00000030h] 2_2_1E43C450
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h] 2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h] 2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h] 2_2_1E426C0A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h] 2_2_1E426C0A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h] 2_2_1E426C0A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h] 2_2_1E426C0A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h] 2_2_1E47740D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h] 2_2_1E47740D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h] 2_2_1E47740D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C746D mov eax, dword ptr fs:[00000030h] 2_2_1E3C746D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DA44B mov eax, dword ptr fs:[00000030h] 2_2_1E3DA44B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E478CD6 mov eax, dword ptr fs:[00000030h] 2_2_1E478CD6
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B849B mov eax, dword ptr fs:[00000030h] 2_2_1E3B849B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h] 2_2_1E426CF0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h] 2_2_1E426CF0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h] 2_2_1E426CF0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4614FB mov eax, dword ptr fs:[00000030h] 2_2_1E4614FB
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h] 2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E423540 mov eax, dword ptr fs:[00000030h] 2_2_1E423540
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E453D40 mov eax, dword ptr fs:[00000030h] 2_2_1E453D40
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h] 2_2_1E3D4D3B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h] 2_2_1E3D4D3B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h] 2_2_1E3D4D3B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AAD30 mov eax, dword ptr fs:[00000030h] 2_2_1E3AAD30
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h] 2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CC577 mov eax, dword ptr fs:[00000030h] 2_2_1E3CC577
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CC577 mov eax, dword ptr fs:[00000030h] 2_2_1E3CC577
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C7D50 mov eax, dword ptr fs:[00000030h] 2_2_1E3C7D50
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E478D34 mov eax, dword ptr fs:[00000030h] 2_2_1E478D34
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E42A537 mov eax, dword ptr fs:[00000030h] 2_2_1E42A537
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E3D43 mov eax, dword ptr fs:[00000030h] 2_2_1E3E3D43
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46E539 mov eax, dword ptr fs:[00000030h] 2_2_1E46E539
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_1E3D1DB5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_1E3D1DB5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_1E3D1DB5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h] 2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h] 2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h] 2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426DC9 mov ecx, dword ptr fs:[00000030h] 2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h] 2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h] 2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D35A1 mov eax, dword ptr fs:[00000030h] 2_2_1E3D35A1
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h] 2_2_1E46FDE2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h] 2_2_1E46FDE2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h] 2_2_1E46FDE2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h] 2_2_1E46FDE2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DFD9B mov eax, dword ptr fs:[00000030h] 2_2_1E3DFD9B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DFD9B mov eax, dword ptr fs:[00000030h] 2_2_1E3DFD9B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h] 2_2_1E3A2D8A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h] 2_2_1E3A2D8A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h] 2_2_1E3A2D8A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h] 2_2_1E3A2D8A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h] 2_2_1E3A2D8A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E458DF1 mov eax, dword ptr fs:[00000030h] 2_2_1E458DF1
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h] 2_2_1E3D2581
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h] 2_2_1E3D2581
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h] 2_2_1E3D2581
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h] 2_2_1E3D2581
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h] 2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h] 2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h] 2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h] 2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h] 2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h] 2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h] 2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h] 2_2_1E3BD5E0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h] 2_2_1E3BD5E0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4705AC mov eax, dword ptr fs:[00000030h] 2_2_1E4705AC
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4705AC mov eax, dword ptr fs:[00000030h] 2_2_1E4705AC
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E4A2C mov eax, dword ptr fs:[00000030h] 2_2_1E3E4A2C
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E4A2C mov eax, dword ptr fs:[00000030h] 2_2_1E3E4A2C
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46EA55 mov eax, dword ptr fs:[00000030h] 2_2_1E46EA55
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E434257 mov eax, dword ptr fs:[00000030h] 2_2_1E434257
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C3A1C mov eax, dword ptr fs:[00000030h] 2_2_1E3C3A1C
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E45B260 mov eax, dword ptr fs:[00000030h] 2_2_1E45B260
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E45B260 mov eax, dword ptr fs:[00000030h] 2_2_1E45B260
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E478A62 mov eax, dword ptr fs:[00000030h] 2_2_1E478A62
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h] 2_2_1E3A5210
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A5210 mov ecx, dword ptr fs:[00000030h] 2_2_1E3A5210
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h] 2_2_1E3A5210
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h] 2_2_1E3A5210
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AAA16 mov eax, dword ptr fs:[00000030h] 2_2_1E3AAA16
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AAA16 mov eax, dword ptr fs:[00000030h] 2_2_1E3AAA16
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B8A0A mov eax, dword ptr fs:[00000030h] 2_2_1E3B8A0A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E927A mov eax, dword ptr fs:[00000030h] 2_2_1E3E927A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46AA16 mov eax, dword ptr fs:[00000030h] 2_2_1E46AA16
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46AA16 mov eax, dword ptr fs:[00000030h] 2_2_1E46AA16
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h] 2_2_1E3A9240
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h] 2_2_1E3A9240
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h] 2_2_1E3A9240
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h] 2_2_1E3A9240
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h] 2_2_1E3BAAB0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h] 2_2_1E3BAAB0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h] 2_2_1E3DFAB0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h] 2_2_1E3A52A5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h] 2_2_1E3A52A5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h] 2_2_1E3A52A5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h] 2_2_1E3A52A5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h] 2_2_1E3A52A5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DD294 mov eax, dword ptr fs:[00000030h] 2_2_1E3DD294
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DD294 mov eax, dword ptr fs:[00000030h] 2_2_1E3DD294
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h] 2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h] 2_2_1E3D2AE4
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D2ACB mov eax, dword ptr fs:[00000030h] 2_2_1E3D2ACB
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E478B58 mov eax, dword ptr fs:[00000030h] 2_2_1E478B58
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D3B7A mov eax, dword ptr fs:[00000030h] 2_2_1E3D3B7A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D3B7A mov eax, dword ptr fs:[00000030h] 2_2_1E3D3B7A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h] 2_2_1E3ADB60
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46131B mov eax, dword ptr fs:[00000030h] 2_2_1E46131B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AF358 mov eax, dword ptr fs:[00000030h] 2_2_1E3AF358
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3ADB40 mov eax, dword ptr fs:[00000030h] 2_2_1E3ADB40
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4253CA mov eax, dword ptr fs:[00000030h] 2_2_1E4253CA
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4253CA mov eax, dword ptr fs:[00000030h] 2_2_1E4253CA
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h] 2_2_1E3D4BAD
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h] 2_2_1E3D4BAD
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h] 2_2_1E3D4BAD
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4523E3 mov ecx, dword ptr fs:[00000030h] 2_2_1E4523E3
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4523E3 mov ecx, dword ptr fs:[00000030h] 2_2_1E4523E3
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4523E3 mov eax, dword ptr fs:[00000030h] 2_2_1E4523E3
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D2397 mov eax, dword ptr fs:[00000030h] 2_2_1E3D2397
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DB390 mov eax, dword ptr fs:[00000030h] 2_2_1E3DB390
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B1B8F mov eax, dword ptr fs:[00000030h] 2_2_1E3B1B8F
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3B1B8F mov eax, dword ptr fs:[00000030h] 2_2_1E3B1B8F
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D138B mov eax, dword ptr fs:[00000030h] 2_2_1E3D138B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D138B mov eax, dword ptr fs:[00000030h] 2_2_1E3D138B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D138B mov eax, dword ptr fs:[00000030h] 2_2_1E3D138B
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E45D380 mov ecx, dword ptr fs:[00000030h] 2_2_1E45D380
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E46138A mov eax, dword ptr fs:[00000030h] 2_2_1E46138A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h] 2_2_1E3CDBE9
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h] 2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h] 2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h] 2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h] 2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h] 2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h] 2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E475BA5 mov eax, dword ptr fs:[00000030h] 2_2_1E475BA5
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA830
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA830
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA830
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h] 2_2_1E3CA830
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h] 2_2_1E3D002D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h] 2_2_1E3D002D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h] 2_2_1E3D002D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h] 2_2_1E3D002D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h] 2_2_1E3D002D
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h] 2_2_1E3BB02A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h] 2_2_1E3BB02A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h] 2_2_1E3BB02A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h] 2_2_1E3BB02A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E471074 mov eax, dword ptr fs:[00000030h] 2_2_1E471074
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E462073 mov eax, dword ptr fs:[00000030h] 2_2_1E462073
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E474015 mov eax, dword ptr fs:[00000030h] 2_2_1E474015
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E474015 mov eax, dword ptr fs:[00000030h] 2_2_1E474015
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h] 2_2_1E427016
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h] 2_2_1E427016
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h] 2_2_1E427016
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C0050 mov eax, dword ptr fs:[00000030h] 2_2_1E3C0050
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C0050 mov eax, dword ptr fs:[00000030h] 2_2_1E3C0050
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h] 2_2_1E3DF0BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DF0BF mov eax, dword ptr fs:[00000030h] 2_2_1E3DF0BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DF0BF mov eax, dword ptr fs:[00000030h] 2_2_1E3DF0BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3E90AF mov eax, dword ptr fs:[00000030h] 2_2_1E3E90AF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h] 2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h] 2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h] 2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h] 2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h] 2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h] 2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h] 2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h] 2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h] 2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h] 2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h] 2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A9080 mov eax, dword ptr fs:[00000030h] 2_2_1E3A9080
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E423884 mov eax, dword ptr fs:[00000030h] 2_2_1E423884
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E423884 mov eax, dword ptr fs:[00000030h] 2_2_1E423884
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A58EC mov eax, dword ptr fs:[00000030h] 2_2_1E3A58EC
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB8E4 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB8E4
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB8E4 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB8E4
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A40E1 mov eax, dword ptr fs:[00000030h] 2_2_1E3A40E1
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A40E1 mov eax, dword ptr fs:[00000030h] 2_2_1E3A40E1
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A40E1 mov eax, dword ptr fs:[00000030h] 2_2_1E3A40E1
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D513A mov eax, dword ptr fs:[00000030h] 2_2_1E3D513A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D513A mov eax, dword ptr fs:[00000030h] 2_2_1E3D513A
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h] 2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h] 2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h] 2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h] 2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C4120 mov ecx, dword ptr fs:[00000030h] 2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h] 2_2_1E3A9100
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h] 2_2_1E3A9100
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h] 2_2_1E3A9100
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AB171 mov eax, dword ptr fs:[00000030h] 2_2_1E3AB171
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AB171 mov eax, dword ptr fs:[00000030h] 2_2_1E3AB171
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AC962 mov eax, dword ptr fs:[00000030h] 2_2_1E3AC962
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB944 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB944
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CB944 mov eax, dword ptr fs:[00000030h] 2_2_1E3CB944
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h] 2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D61A0 mov eax, dword ptr fs:[00000030h] 2_2_1E3D61A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D61A0 mov eax, dword ptr fs:[00000030h] 2_2_1E3D61A0
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4341E8 mov eax, dword ptr fs:[00000030h] 2_2_1E4341E8
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3D2990 mov eax, dword ptr fs:[00000030h] 2_2_1E3D2990
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3DA185 mov eax, dword ptr fs:[00000030h] 2_2_1E3DA185
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3CC182 mov eax, dword ptr fs:[00000030h] 2_2_1E3CC182
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_1E3AB1E1
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_1E3AB1E1
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_1E3AB1E1
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h] 2_2_1E4649A4
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h] 2_2_1E4649A4
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h] 2_2_1E4649A4
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h] 2_2_1E4649A4
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4269A6 mov eax, dword ptr fs:[00000030h] 2_2_1E4269A6
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h] 2_2_1E4251BE
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h] 2_2_1E4251BE
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h] 2_2_1E4251BE
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h] 2_2_1E4251BE
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00564377 mov eax, dword ptr fs:[00000030h] 2_2_00564377
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00564B11 mov eax, dword ptr fs:[00000030h] 2_2_00564B11
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00563BE9 mov eax, dword ptr fs:[00000030h] 2_2_00563BE9
Source: C:\Users\user\Desktop\Payment_png.exe Code function: 2_2_00562410 mov eax, dword ptr fs:[00000030h] 2_2_00562410
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD8CD6 mov eax, dword ptr fs:[00000030h] 14_2_04CD8CD6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC14FB mov eax, dword ptr fs:[00000030h] 14_2_04CC14FB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86CF0 mov eax, dword ptr fs:[00000030h] 14_2_04C86CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86CF0 mov eax, dword ptr fs:[00000030h] 14_2_04C86CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86CF0 mov eax, dword ptr fs:[00000030h] 14_2_04C86CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C1849B mov eax, dword ptr fs:[00000030h] 14_2_04C1849B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h] 14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3A44B mov eax, dword ptr fs:[00000030h] 14_2_04C3A44B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C9C450 mov eax, dword ptr fs:[00000030h] 14_2_04C9C450
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C9C450 mov eax, dword ptr fs:[00000030h] 14_2_04C9C450
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2746D mov eax, dword ptr fs:[00000030h] 14_2_04C2746D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h] 14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h] 14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD740D mov eax, dword ptr fs:[00000030h] 14_2_04CD740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD740D mov eax, dword ptr fs:[00000030h] 14_2_04CD740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD740D mov eax, dword ptr fs:[00000030h] 14_2_04CD740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h] 14_2_04C86C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h] 14_2_04C86C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h] 14_2_04C86C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h] 14_2_04C86C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3BC2C mov eax, dword ptr fs:[00000030h] 14_2_04C3BC2C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h] 14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h] 14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h] 14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86DC9 mov ecx, dword ptr fs:[00000030h] 14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h] 14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h] 14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C1D5E0 mov eax, dword ptr fs:[00000030h] 14_2_04C1D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C1D5E0 mov eax, dword ptr fs:[00000030h] 14_2_04C1D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h] 14_2_04CCFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h] 14_2_04CCFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h] 14_2_04CCFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h] 14_2_04CCFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CB8DF1 mov eax, dword ptr fs:[00000030h] 14_2_04CB8DF1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h] 14_2_04C32581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h] 14_2_04C32581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h] 14_2_04C32581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h] 14_2_04C32581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h] 14_2_04C02D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h] 14_2_04C02D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h] 14_2_04C02D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h] 14_2_04C02D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h] 14_2_04C02D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h] 14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h] 14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h] 14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h] 14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h] 14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h] 14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h] 14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3FD9B mov eax, dword ptr fs:[00000030h] 14_2_04C3FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C3FD9B mov eax, dword ptr fs:[00000030h] 14_2_04C3FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD05AC mov eax, dword ptr fs:[00000030h] 14_2_04CD05AC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04CD05AC mov eax, dword ptr fs:[00000030h] 14_2_04CD05AC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04C335A1 mov eax, dword ptr fs:[00000030h] 14_2_04C335A1
Enables debug privileges
Source: C:\Users\user\Desktop\Payment_png.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.218 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.loversdeal.com
Source: C:\Windows\explorer.exe Domain query: www.uforservice.com
Source: C:\Windows\explorer.exe Domain query: www.slutefuter.com
Source: C:\Windows\explorer.exe Domain query: www.booksfall.com
Source: C:\Windows\explorer.exe Network Connect: 66.96.160.133 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.32 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.plowbrothers.com
Source: C:\Windows\explorer.exe Domain query: www.choupisson.com
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.233 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.domennyarendi39.net
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.birkenhof-allgaeu.net
Source: C:\Windows\explorer.exe Domain query: www.pcpartout.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Payment_png.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Payment_png.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Payment_png.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Payment_png.exe Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: E70000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment_png.exe Process created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe' Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe' Jump to behavior
Source: explorer.exe, 00000006.00000002.469681578.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2988, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_png.exe PID: 3112, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377352 Sample: Payment_png.exe Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 29 www.silverdollarcafe.com 2->29 31 www.accinf5.com 2->31 33 silverdollarcafe.com 2->33 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 11 Payment_png.exe 1 2->11         started        signatures3 process4 signatures5 61 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->61 63 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->63 65 Tries to detect Any.run 11->65 67 3 other signatures 11->67 14 Payment_png.exe 6 11->14         started        process6 dnsIp7 41 www.aps-mm.com 14->41 43 aps-mm.com 170.249.199.106, 443, 49712, 49713 PRIVATESYSTEMSUS United States 14->43 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Tries to detect Any.run 14->71 73 Maps a DLL or memory area into another process 14->73 75 3 other signatures 14->75 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 35 www.birkenhof-allgaeu.net 217.160.0.233, 49738, 80 ONEANDONE-ASBrauerstrasse48DE Germany 18->35 37 uforservice.com 23.227.38.32, 49742, 80 CLOUDFLARENETUS Canada 18->37 39 15 other IPs or domains 18->39 53 System process connects to network (likely due to code injection or exploit) 18->53 22 colorcpl.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.117.218
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
217.160.0.233
 www.birkenhof-allgaeu.net Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
35.246.6.109
 td-balancer-euw2-6-109.wixdns.net United States
15169 GOOGLEUS false
170.249.199.106
 aps-mm.com United States
63410 PRIVATESYSTEMSUS false
34.102.136.180
 plowbrothers.com United States
15169 GOOGLEUS false
66.96.160.133
 www.choupisson.com United States
29873 BIZLAND-SDUS true
23.227.38.32
 uforservice.com Canada
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
plowbrothers.com 34.102.136.180 true
td-balancer-euw2-6-109.wixdns.net 35.246.6.109 true
aps-mm.com 170.249.199.106 true
parkingpage.namecheap.com 198.54.117.218 true
silverdollarcafe.com 34.102.136.180 true
uforservice.com 23.227.38.32 true
www.birkenhof-allgaeu.net 217.160.0.233 true
www.choupisson.com 66.96.160.133 true
www.loversdeal.com unknown unknown
www.uforservice.com unknown unknown
www.slutefuter.com unknown unknown
www.booksfall.com unknown unknown
www.plowbrothers.com unknown unknown
www.aps-mm.com unknown unknown
www.domennyarendi39.net unknown unknown
www.accinf5.com unknown unknown
www.pcpartout.com unknown unknown
www.silverdollarcafe.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.pcpartout.com/c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp false
  • Avira URL Cloud: safe
 unknown
http://www.choupisson.com/c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp true
  • Avira URL Cloud: safe
 unknown
http://aps-mm.com/bin_BNUtTDfY243.bin false
  • Avira URL Cloud: safe
 unknown
http://www.loversdeal.com/c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp true
  • Avira URL Cloud: safe
 unknown
http://www.plowbrothers.com/c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp false
  • Avira URL Cloud: safe
 unknown
www.booksfall.com/c8bs/ true
  • Avira URL Cloud: safe
 low
http://www.aps-mm.com/bin_BNUtTDfY243.bin false
  • Avira URL Cloud: safe
 unknown
http://www.silverdollarcafe.com/c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp false
  • Avira URL Cloud: safe
 unknown
http://www.birkenhof-allgaeu.net/c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp true
  • Avira URL Cloud: safe
 unknown
http://www.uforservice.com/c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp true
  • Avira URL Cloud: safe
 unknown