Loading ...

Play interactive tourEdit tour

Analysis Report Payment_png.exe

Overview

General Information

Sample Name:Payment_png.exe
Analysis ID:377352
MD5:86fa26e33879d3c04152301eaaaba518
SHA1:3c75755b8efe897bb18ea99f6014dabd5492d32c
SHA256:eacf1b7b8d612e5a500f79a03b06f9fb919768a1fb053ce3522f3288c36067f4
Tags:GuLoader
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment_png.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\Payment_png.exe' MD5: 86FA26E33879D3C04152301EAAABA518)
    • Payment_png.exe (PID: 3112 cmdline: 'C:\Users\user\Desktop\Payment_png.exe' MD5: 86FA26E33879D3C04152301EAAABA518)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 2988 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 1536 cmdline: /c del 'C:\Users\user\Desktop\Payment_png.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.booksfall.com/c8bs/"], "decoy": ["dreamwrldrp.com", "epkshu.com", "accinf5.com", "karadenizturk.com", "pcpartout.com", "kuwoopi.com", "gtaqcf.com", "lambofgodprinting.com", "vinelytv.com", "domennyarendi39.net", "broskiusa.com", "bombiepalaboy.com", "plowbrothers.com", "domentemenegi42.net", "jfhousebuyers.com", "birkenhof-allgaeu.net", "quantify-co.com", "bitoko.net", "choupisson.com", "bostonm.info", "wojkowski.com", "themersy.com", "structuredmen.net", "jadaccaentertainment.com", "strategyplace.net", "kadyshopping.com", "bookhangovers.com", "peopleskillschallenge.com", "sturestaypluspdx.com", "nxywsy.com", "citestaccnt1598622913.com", "bestmodestorestaurants.com", "thebabyfriendly.com", "aainakari.com", "cookklip.com", "8bitupgrades.com", "smartintegrityplatform.com", "silverdollarcafe.com", "obleaslaoriginal.com", "csfeliz.com", "selfmadepartners.com", "djmacktruck.com", "madefaz.net", "55zhidian.com", "slutefuter.com", "enternet360.com", "autoandtruckpartsincoh.com", "loversdeal.com", "windorians.com", "skinsbag.com", "indounace-maisounce.com", "atxrealestateforsale.com", "lotdco.com", "littlewanda.com", "epc-scot.com", "thesaltybookkeeper.com", "neebcoteam.com", "uforservice.com", "cashcanbeyours.com", "bondar.design", "rwpgoyiof.club", "mindfulreadings.com", "dhadaka.com", "aartihand.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.booksfall.com/c8bs/"], "decoy": ["dreamwrldrp.com", "epkshu.com", "accinf5.com", "karadenizturk.com", "pcpartout.com", "kuwoopi.com", "gtaqcf.com", "lambofgodprinting.com", "vinelytv.com", "domennyarendi39.net", "broskiusa.com", "bombiepalaboy.com", "plowbrothers.com", "domentemenegi42.net", "jfhousebuyers.com", "birkenhof-allgaeu.net", "quantify-co.com", "bitoko.net", "choupisson.com", "bostonm.info", "wojkowski.com", "themersy.com", "structuredmen.net", "jadaccaentertainment.com", "strategyplace.net", "kadyshopping.com", "bookhangovers.com", "peopleskillschallenge.com", "sturestaypluspdx.com", "nxywsy.com", "citestaccnt1598622913.com", "bestmodestorestaurants.com", "thebabyfriendly.com", "aainakari.com", "cookklip.com", "8bitupgrades.com", "smartintegrityplatform.com", "silverdollarcafe.com", "obleaslaoriginal.com", "csfeliz.com", "selfmadepartners.com", "djmacktruck.com", "madefaz.net", "55zhidian.com", "slutefuter.com", "enternet360.com", "autoandtruckpartsincoh.com", "loversdeal.com", "windorians.com", "skinsbag.com", "indounace-maisounce.com", "atxrealestateforsale.com", "lotdco.com", "littlewanda.com", "epc-scot.com", "thesaltybookkeeper.com", "neebcoteam.com", "uforservice.com", "cashcanbeyours.com", "bondar.design", "rwpgoyiof.club", "mindfulreadings.com", "dhadaka.com", "aartihand.com"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: Payment_png.exeVirustotal: Detection: 70%Perma Link
      Source: Payment_png.exeMetadefender: Detection: 19%Perma Link
      Source: Payment_png.exeReversingLabs: Detection: 79%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY
      Source: 14.2.colorcpl.exe.30327b8.2.unpackAvira: Label: TR/Dropper.Gen
      Source: 14.2.colorcpl.exe.5117960.5.unpackAvira: Label: TR/Dropper.Gen
      Source: Payment_png.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 170.249.199.106:443 -> 192.168.2.3:49714 version: TLS 1.2
      Source: Binary string: colorcpl.pdbGCTL source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: colorcpl.pdb source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Payment_png.exe, 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Payment_png.exe, colorcpl.exe
      Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.booksfall.com/c8bs/
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.plowbrothers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.loversdeal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.pcpartout.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.birkenhof-allgaeu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.choupisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.uforservice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.silverdollarcafe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 198.54.117.218 198.54.117.218
      Source: Joe Sandbox ViewIP Address: 23.227.38.32 23.227.38.32
      Source: Joe Sandbox ViewIP Address: 23.227.38.32 23.227.38.32
      Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
      Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aps-mm.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.aps-mm.comConnection: Keep-Alive
      Source: C:\Windows\explorer.exeCode function: 6_2_0613D302 getaddrinfo,setsockopt,recv,6_2_0613D302
      Source: global trafficHTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aps-mm.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.aps-mm.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.plowbrothers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.loversdeal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.pcpartout.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.birkenhof-allgaeu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.choupisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.uforservice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.silverdollarcafe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: aps-mm.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 29 Mar 2021 11:59:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: Payment_png.exe, 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmpString found in binary or memory: http://aps-mm.com/bin_BNUtTDfY243.bin
      Source: explorer.exe, 00000006.00000000.294226634.000000000F740000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.aainakari.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.aainakari.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.aainakari.com/c8bs/www.bostonm.info
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.aainakari.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.accinf5.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.accinf5.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.accinf5.com/c8bs/www.silverdollarcafe.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.accinf5.comReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.birkenhof-allgaeu.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.birkenhof-allgaeu.net/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.birkenhof-allgaeu.net/c8bs/www.choupisson.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.birkenhof-allgaeu.netReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.booksfall.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.booksfall.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.booksfall.com/c8bs/www.pcpartout.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.booksfall.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.bostonm.info
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.bostonm.info/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.bostonm.info/c8bs/www.quantify-co.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.bostonm.infoReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.broskiusa.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.broskiusa.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.broskiusa.com/c8bs/www.aainakari.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.broskiusa.comReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.choupisson.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.choupisson.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.choupisson.com/c8bs/www.uforservice.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.choupisson.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domennyarendi39.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domennyarendi39.net/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domennyarendi39.net/c8bs/www.accinf5.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domennyarendi39.netReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domentemenegi42.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domentemenegi42.net/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domentemenegi42.net/c8bs/www.broskiusa.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domentemenegi42.netReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.loversdeal.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.loversdeal.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.loversdeal.com/c8bs/www.booksfall.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.loversdeal.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.pcpartout.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.pcpartout.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.pcpartout.com/c8bs/www.birkenhof-allgaeu.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.pcpartout.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.plowbrothers.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.plowbrothers.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.plowbrothers.com/c8bs/www.slutefuter.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.plowbrothers.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.quantify-co.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.quantify-co.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.quantify-co.com/c8bs/M
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.quantify-co.comReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.silverdollarcafe.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.silverdollarcafe.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.silverdollarcafe.com/c8bs/www.domentemenegi42.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.silverdollarcafe.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.slutefuter.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.slutefuter.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.slutefuter.com/c8bs/www.loversdeal.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.slutefuter.comReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.uforservice.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.uforservice.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.uforservice.com/c8bs/www.domennyarendi39.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.uforservice.comReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownHTTPS traffic detected: 170.249.199.106:443 -> 192.168.2.3:49714 version: TLS 1.2
      Source: C:\Windows\explorer.exeCode function: 6_2_06136EB2 OpenClipboard,6_2_06136EB2

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Payment_png.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Payment_png.exe
      Source: C:\Users\user\Desktop\Payment_png.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02220438 EnumWindows,NtSetInformationThread,0_2_02220438
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02224EE8 NtProtectVirtualMemory,0_2_02224EE8
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02225331 NtMapViewOfSection,0_2_02225331
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02220F83 NtWriteVirtualMemory,LoadLibraryA,0_2_02220F83
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02222992 NtSetInformationThread,0_2_02222992
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221E27 NtWriteVirtualMemory,0_2_02221E27
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_0222542F NtMapViewOfSection,0_2_0222542F
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02222033 NtWriteVirtualMemory,0_2_02222033
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022220A1 NtWriteVirtualMemory,0_2_022220A1
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022204AF NtSetInformationThread,0_2_022204AF
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221AB4 NtWriteVirtualMemory,0_2_02221AB4
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221E81 NtWriteVirtualMemory,0_2_02221E81
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022254F5 NtMapViewOfSection,0_2_022254F5
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022254CB NtMapViewOfSection,0_2_022254CB
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022204D5 NtSetInformationThread,0_2_022204D5
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221F21 NtWriteVirtualMemory,0_2_02221F21
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02225338 NtMapViewOfSection,0_2_02225338
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02225301 NtMapViewOfSection,0_2_02225301
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221369 NtWriteVirtualMemory,0_2_02221369
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02225544 NtMapViewOfSection,0_2_02225544
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022253B4 NtMapViewOfSection,0_2_022253B4
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02222183 NtWriteVirtualMemory,0_2_02222183
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02225380 NtMapViewOfSection,0_2_02225380
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221986 NtSetInformationThread,NtWriteVirtualMemory,0_2_02221986
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221F93 NtWriteVirtualMemory,0_2_02221F93
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221DEB NtWriteVirtualMemory,0_2_02221DEB
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022253EF NtMapViewOfSection,0_2_022253EF
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_1E3E9660
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_1E3E96E0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,2_2_1E3E9710
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_1E3E97A0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,2_2_1E3E9780
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9FE0 NtCreateMutant,LdrInitializeThunk,2_2_1E3E9FE0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9540 NtReadFile,LdrInitializeThunk,2_2_1E3E9540
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E95D0 NtClose,LdrInitializeThunk,2_2_1E3E95D0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,2_2_1E3E9A20
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_1E3E9A00
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,2_2_1E3E9A50
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_1E3E9860
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,2_2_1E3E9840
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_1E3E98F0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_1E3E9910
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,2_2_1E3E99A0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9610 NtEnumerateValueKey,2_2_1E3E9610
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9670 NtQueryInformationProcess,2_2_1E3E9670
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9650 NtQueryValueKey,2_2_1E3E9650
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E96D0 NtCreateKey,2_2_1E3E96D0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9730 NtQueryVirtualMemory,2_2_1E3E9730
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3EA710 NtOpenProcessToken,2_2_1E3EA710
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3EA770 NtOpenThread,2_2_1E3EA770
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9770 NtSetInformationFile,2_2_1E3E9770
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9760 NtOpenProcess,2_2_1E3E9760
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3EAD30 NtSetContextThread,2_2_1E3EAD30
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9520 NtWaitForSingleObject,2_2_1E3E9520
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9560 NtWriteFile,2_2_1E3E9560
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E95F0 NtQueryInformationFile,2_2_1E3E95F0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9A10 NtQuerySection,2_2_1E3E9A10
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9A80 NtOpenDirectoryObject,2_2_1E3E9A80
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9B00 NtSetValueKey,2_2_1E3E9B00
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3EA3B0 NtGetContextThread,2_2_1E3EA3B0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9820 NtEnumerateKey,2_2_1E3E9820
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3EB040 NtSuspendThread,2_2_1E3EB040
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E98A0 NtWriteVirtualMemory,2_2_1E3E98A0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9950 NtQueueApcThread,2_2_1E3E9950
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E99D0 NtCreateProcessEx,2_2_1E3E99D0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00565331 NtSetInformationThread,2_2_00565331
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00564EE8 NtProtectVirtualMemory,2_2_00564EE8
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00565301 NtSetInformationThread,2_2_00565301
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00565338 NtSetInformationThread,2_2_00565338
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_005653EF NtSetInformationThread,2_2_005653EF
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00565380 NtSetInformationThread,2_2_00565380
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_005653B4 NtSetInformationThread,2_2_005653B4
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_0056542F NtSetInformationThread,2_2_0056542F
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_005654CB NtSetInformationThread,2_2_005654CB
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_005654F5 NtSetInformationThread,2_2_005654F5
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00565544 NtSetInformationThread,2_2_00565544
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C495D0 NtClose,LdrInitializeThunk,14_2_04C495D0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49540 NtReadFile,LdrInitializeThunk,14_2_04C49540
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C496D0 NtCreateKey,LdrInitializeThunk,14_2_04C496D0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C496E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_04C496E0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49650 NtQueryValueKey,LdrInitializeThunk,14_2_04C49650
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04C49660
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49FE0 NtCreateMutant,LdrInitializeThunk,14_2_04C49FE0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49780 NtMapViewOfSection,LdrInitializeThunk,14_2_04C49780
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49710 NtQueryInformationToken,LdrInitializeThunk,14_2_04C49710
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49840 NtDelayExecution,LdrInitializeThunk,14_2_04C49840
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49860 NtQuerySystemInformation,LdrInitializeThunk,14_2_04C49860
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C499A0 NtCreateSection,LdrInitializeThunk,14_2_04C499A0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_04C49910
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49A50 NtCreateFile,LdrInitializeThunk,14_2_04C49A50
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C495F0 NtQueryInformationFile,14_2_04C495F0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49560 NtWriteFile,14_2_04C49560
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49520 NtWaitForSingleObject,14_2_04C49520
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C4AD30 NtSetContextThread,14_2_04C4AD30
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49670 NtQueryInformationProcess,14_2_04C49670
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49610 NtEnumerateValueKey,14_2_04C49610
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C497A0 NtUnmapViewOfSection,14_2_04C497A0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49760 NtOpenProcess,14_2_04C49760
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C4A770 NtOpenThread,14_2_04C4A770
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49770 NtSetInformationFile,14_2_04C49770
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C4A710 NtOpenProcessToken,14_2_04C4A710
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49730 NtQueryVirtualMemory,14_2_04C49730
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C498F0 NtReadVirtualMemory,14_2_04C498F0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C498A0 NtWriteVirtualMemory,14_2_04C498A0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C4B040 NtSuspendThread,14_2_04C4B040
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49820 NtEnumerateKey,14_2_04C49820
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C499D0 NtCreateProcessEx,14_2_04C499D0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49950 NtQueueApcThread,14_2_04C49950
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49A80 NtOpenDirectoryObject,14_2_04C49A80
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49A00 NtProtectVirtualMemory,14_2_04C49A00
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49A10 NtQuerySection,14_2_04C49A10
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49A20 NtResumeThread,14_2_04C49A20
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C4A3B0 NtGetContextThread,14_2_04C4A3B0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49B00 NtSetValueKey,14_2_04C49B00
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_009681C0 NtCreateFile,14_2_009681C0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_009682F0 NtClose,14_2_009682F0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00968270 NtReadFile,14_2_00968270
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_009683A0 NtAllocateVirtualMemory,14_2_009683A0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C6E302_2_1E3C6E30
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46D6162_2_1E46D616
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E472EF72_2_1E472EF7
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E47DFCE2_2_1E47DFCE
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E471FF12_2_1E471FF1
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46D4662_2_1E46D466
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B841F2_2_1E3B841F
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB4772_2_1E3CB477
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4644962_2_1E464496
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E471D552_2_1E471D55
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A0D202_2_1E3A0D20
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E472D072_2_1E472D07
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4725DD2_2_1E4725DD
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D25812_2_1E3D2581
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E462D822_2_1E462D82
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BD5E02_2_1E3BD5E0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E45FA2B2_2_1E45FA2B
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF2_2_1E464AEF
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4722AE2_2_1E4722AE
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E44CB4F2_2_1E44CB4F
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA3092_2_1E3CA309
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E472B282_2_1E472B28
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CAB402_2_1E3CAB40
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DEBB02_2_1E3DEBB0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46DBD22_2_1E46DBD2
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4603DA2_2_1E4603DA
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4523E32_2_1E4523E3
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D138B2_2_1E3D138B
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DABD82_2_1E3DABD8
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA8302_2_1E3CA830
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4610022_2_1E461002
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E47E8242_2_1E47E824
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D20A02_2_1E3D20A0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BB0902_2_1E3BB090
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4728EC2_2_1E4728EC
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4720A82_2_1E4720A8
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C41202_2_1E3C4120
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AF9002_2_1E3AF900
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF2_2_1E3C99BF
      Source: C:\Windows\explorer.exeCode function: 6_2_0613A0626_2_0613A062
      Source: C:\Windows\explorer.exeCode function: 6_2_061358F96_2_061358F9
      Source: C:\Windows\explorer.exeCode function: 6_2_061382FF6_2_061382FF
      Source: C:\Windows\explorer.exeCode function: 6_2_061359026_2_06135902
      Source: C:\Windows\explorer.exeCode function: 6_2_061383026_2_06138302
      Source: C:\Windows\explorer.exeCode function: 6_2_061363626_2_06136362
      Source: C:\Windows\explorer.exeCode function: 6_2_0613C5B26_2_0613C5B2
      Source: C:\Windows\explorer.exeCode function: 6_2_0613B7C76_2_0613B7C7
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC449614_2_04CC4496
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CCD46614_2_04CCD466
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B47714_2_04C2B477
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C1841F14_2_04C1841F
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD25DD14_2_04CD25DD
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C1D5E014_2_04C1D5E0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3258114_2_04C32581
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC2D8214_2_04CC2D82
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD1D5514_2_04CD1D55
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD2D0714_2_04CD2D07
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C00D2014_2_04C00D20
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD2EF714_2_04CD2EF7
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CCD61614_2_04CCD616
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C26E3014_2_04C26E30
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CDDFCE14_2_04CDDFCE
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD1FF114_2_04CD1FF1
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD28EC14_2_04CD28EC
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C1B09014_2_04C1B090
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C320A014_2_04C320A0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD20A814_2_04CD20A8
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC100214_2_04CC1002
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CDE82414_2_04CDE824
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2A83014_2_04C2A830
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C299BF14_2_04C299BF
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C0F90014_2_04C0F900
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2412014_2_04C24120
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4AEF14_2_04CC4AEF
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD22AE14_2_04CD22AE
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CBFA2B14_2_04CBFA2B
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B23614_2_04C2B236
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC03DA14_2_04CC03DA
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3ABD814_2_04C3ABD8
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CCDBD214_2_04CCDBD2
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CB23E314_2_04CB23E3
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3138B14_2_04C3138B
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3EBB014_2_04C3EBB0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2AB4014_2_04C2AB40
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CACB4F14_2_04CACB4F
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2A30914_2_04C2A309
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD2B2814_2_04CD2B28
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00958C5B14_2_00958C5B
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00958C6014_2_00958C60
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00952D9014_2_00952D90
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00952D8F14_2_00952D8F
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00952FB014_2_00952FB0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: String function: 1E3AB150 appears 136 times
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04C0B150 appears 136 times
      Source: Payment_png.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Payment_png.exe, 00000000.00000000.200466328.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
      Source: Payment_png.exe, 00000002.00000002.313895649.000000001DC50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Payment_png.exe
      Source: Payment_png.exe, 00000002.00000002.313927300.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Payment_png.exe
      Source: Payment_png.exe, 00000002.00000002.305998798.00000000000B3000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs Payment_png.exe
      Source: Payment_png.exe, 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment_png.exe
      Source: Payment_png.exe, 00000002.00000000.245916312.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
      Source: Payment_png.exeBinary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
      Source: Payment_png.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@13/7
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_01
      Source: C:\Users\user\Desktop\Payment_png.exeFile created: C:\Users\user\AppData\Local\Temp\~DF404ACC61CD765358.TMPJump to behavior
      Source: Payment_png.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Payment_png.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Payment_png.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Payment_png.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Payment_png.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Payment_png.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Payment_png.exeVirustotal: Detection: 70%
      Source: Payment_png.exeMetadefender: Detection: 19%
      Source: Payment_png.exeReversingLabs: Detection: 79%
      Source: unknownProcess created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'
      Source: C:\Users\user\Desktop\Payment_png.exeProcess created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Payment_png.exeProcess created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe'Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Binary string: colorcpl.pdbGCTL source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: colorcpl.pdb source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Payment_png.exe, 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Payment_png.exe, colorcpl.exe
      Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources