Play interactive tour

Edit tour

Analysis Report payment advice_mt103645367.exe

Overview

General Information

Sample Name:	payment advice_mt103645367.exe
Analysis ID:	387728
MD5:	e4f3fd2e517743504817b7c3e2032de3
SHA1:	b42b6607bef7562a38a55b1d74fbb6e5d91f8fcf
SHA256:	08673c97c9a0e20536ce90e162e7da11dde8d4bfc4c01cabe7d3baeafaf449e6
Tags:	exeFormbookInvoice
Infos:
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

payment advice_mt103645367.exe (PID: 6236 cmdline: 'C:\Users\user\Desktop\payment advice_mt103645367.exe' MD5: E4F3FD2E517743504817B7C3E2032DE3)

payment advice_mt103645367.exe (PID: 2440 cmdline: 'C:\Users\user\Desktop\payment advice_mt103645367.exe' MD5: E4F3FD2E517743504817B7C3E2032DE3)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

ipconfig.exe (PID: 244 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)

cmd.exe (PID: 4856 cmdline: /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.healthpro.info/hwad/"], "decoy": ["atracion.digital", "abiraron.com", "pamelaklein.com", "ailingboli.com", "stclandhome.com", "lowcarbindulgence.com", "comedytournaments.com", "hervis.academy", "votestevecody.com", "medsdiscount.cloud", "pagenstechers.com", "itagamescraft.net", "321duang.com", "digitalmarketingjobsworld.com", "spsxhstar.com", "yhnbgtr.com", "018fee1.com", "weixiang168.com", "modernlifestylejournal.com", "nathapatilgroup.com", "crevelli.com", "dimeoohnique.com", "wikihighlight.com", "yetisotomotiv.com", "nobleclothingstore.com", "927703.com", "2251ferndell.com", "trackgram.net", "bbsunglasses.com", "sk202.com", "shqundu.com", "andersonandassociatesfirm.world", "edmcpng.com", "luxxebloomy.net", "229215.com", "royalbranchhomes.com", "xinjizf.com", "distributecourt.com", "peacefulprotests.website", "sumernight.com", "mybosscoffee.com", "kuppers.info", "presentfocus.life", "fxbplus.com", "todayshomily.com", "craicing.com", "condomon.com", "stopreflujo.com", "truebanditclothing.com", "miaosenmy.com", "aco-tabi.com", "jinling.love", "jobjiihnn.club", "shopzoning.com", "corridordaily.com", "revistaentropica.com", "bajavinofest.com", "wurmo.com", "reviewsbeforebuying.com", "bodi-massazh-dlya-muzhchin.site", "keystonenation.com", "odpuertorico.com", "consciouscommune.com", "omr-omr.com"]}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x54b8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.495667904.00000000031B0000.00000004.00000020.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x5398:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: payment advice_mt103645367.exe PID: 2440	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: payment advice_mt103645367.exe PID: 2440	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: payment advice_mt103645367.exe PID: 2440	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: ipconfig.exe PID: 244	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP"}
Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.healthpro.info/hwad/"], "decoy": ["atracion.digital", "abiraron.com", "pamelaklein.com", "ailingboli.com", "stclandhome.com", "lowcarbindulgence.com", "comedytournaments.com", "hervis.academy", "votestevecody.com", "medsdiscount.cloud", "pagenstechers.com", "itagamescraft.net", "321duang.com", "digitalmarketingjobsworld.com", "spsxhstar.com", "yhnbgtr.com", "018fee1.com", "weixiang168.com", "modernlifestylejournal.com", "nathapatilgroup.com", "crevelli.com", "dimeoohnique.com", "wikihighlight.com", "yetisotomotiv.com", "nobleclothingstore.com", "927703.com", "2251ferndell.com", "trackgram.net", "bbsunglasses.com", "sk202.com", "shqundu.com", "andersonandassociatesfirm.world", "edmcpng.com", "luxxebloomy.net", "229215.com", "royalbranchhomes.com", "xinjizf.com", "distributecourt.com", "peacefulprotests.website", "sumernight.com", "mybosscoffee.com", "kuppers.info", "presentfocus.life", "fxbplus.com", "todayshomily.com", "craicing.com", "condomon.com", "stopreflujo.com", "truebanditclothing.com", "miaosenmy.com", "aco-tabi.com", "jinling.love", "jobjiihnn.club", "shopzoning.com", "corridordaily.com", "revistaentropica.com", "bajavinofest.com", "wurmo.com", "reviewsbeforebuying.com", "bodi-massazh-dlya-muzhchin.site", "keystonenation.com", "odpuertorico.com", "consciouscommune.com", "omr-omr.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: payment advice_mt103645367.exe	Virustotal: Detection: 30%			Perma Link
Source: payment advice_mt103645367.exe	ReversingLabs: Detection: 19%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY

Source: 19.2.ipconfig.exe.3b17960.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.2.ipconfig.exe.31b0840.1.unpack	Avira: Label: TR/Dropper.Gen

Source: payment advice_mt103645367.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.3:49727 version: TLS 1.2

Source:	Binary string: ipconfig.pdb source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: payment advice_mt103645367.exe, 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp, ipconfig.exe, 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: payment advice_mt103645367.exe, ipconfig.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: www.healthpro.info/hwad/
Source: Malware configuration extractor	URLs: https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-0g-3k-docs.googleusercontent.com

Source: explorer.exe, 00000010.00000000.474274647.000000000F5E6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000010.00000000.474142184.000000000F54C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.mY
Source: explorer.exe, 00000010.00000000.474142184.000000000F54C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: payment advice_mt103645367.exe, 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Source: unknown

HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.3:49727 version: TLS 1.2

Source: payment advice_mt103645367.exe, 00000000.00000002.374597434.00000000006EA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.495667904.00000000031B0000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: payment advice_mt103645367.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: payment advice_mt103645367.exe

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9A10 NtQuerySection,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9650 NtQueryValueKey,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E96D0 NtCreateKey,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3EA710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9770 NtSetInformationFile,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3EA770 NtOpenThread,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9760 NtOpenProcess,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3EA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3EB040 NtSuspendThread,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3EAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9560 NtWriteFile,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00568170 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036496E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036495D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649A20 NtResumeThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649A10 NtQuerySection,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036499D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036499A0 NtCreateSection,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649840 NtDelayExecution,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036498F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036498A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649760 NtOpenProcess,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364A770 NtOpenThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649710 NtQueryInformationToken,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036497A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649780 NtMapViewOfSection,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649660 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036496D0 NtCreateKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649560 NtWriteFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036495F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE82E0 NtClose,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE8260 NtReadFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE81B0 NtCreateFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE82DC NtClose,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE825A NtReadFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE81AA NtCreateFile,

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C6E30
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E472EF7
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4722AE
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E472B28
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DEBB0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E471FF1
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B841F
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461002
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BB090
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4720A8
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E471D55
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A0D20
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AF900
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E472D07
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2581
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BD5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036ACB4F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D2B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C231B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036B23E3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03658BE8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C03DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363ABD8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CDBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036AEB8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363138B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362EB9A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036BFA2B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CE2C5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D22AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D32A9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036DE824
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A830
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03606800
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D28EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036320A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D20A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C67E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D1FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036DDFCE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03626E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03625600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CD616
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D2EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036B1EB6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D1D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03600D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D2D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D25DD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036365A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03632581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C2D82
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CD466
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B477
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4496
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEBA43
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DD2FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEBFA7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEB755
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEBCD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DD8C50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DD8C4B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DD2D90

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 03695720 appears 38 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0365D08C appears 39 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0360B150 appears 154 times
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: String function: 1E3AB150 appears 35 times
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: String function: 0040172E appears 35 times

Source: payment advice_mt103645367.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameillusive.exeFE2X vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameillusive.exeFE2X7q vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameillusive.exeFE2X~p vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameillusive.exeFE2XRu vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameillusive.exeFE2X$t vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameillusive.exe vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.375025108.00000000022C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 0000000A.00000002.490528036.000000001DC60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 0000000A.00000002.490581294.000000001DDB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 0000000A.00000002.492644478.000000001E62F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 0000000A.00000000.373609554.000000000042A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameillusive.exe vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 0000000A.00000002.486757216.00000000000B7000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe	Binary or memory string: OriginalFilenameillusive.exe vs payment advice_mt103645367.exe

Source: payment advice_mt103645367.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.495667904.00000000031B0000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@6/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1564:120:WilError_01

Source: payment advice_mt103645367.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: payment advice_mt103645367.exe	Virustotal: Detection: 30%
Source: payment advice_mt103645367.exe	ReversingLabs: Detection: 19%

Source: unknown	Process created: C:\Users\user\Desktop\payment advice_mt103645367.exe 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process created: C:\Users\user\Desktop\payment advice_mt103645367.exe 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe'

Source:	Binary string: ipconfig.pdb source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: payment advice_mt103645367.exe, 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp, ipconfig.exe, 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: payment advice_mt103645367.exe, ipconfig.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment advice_mt103645367.exe PID: 2440, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: payment advice_mt103645367.exe PID: 2440, type: MEMORY

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040B858 push ebx; iretw
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040A66C push ebx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_00409E24 push ebx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040AACF push ebx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_00408880 push ebx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040A68B push ebx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040A68B push ebx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_004096B8 push ecx; iretd
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_00408B76 push ebx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_004083C0 push ebx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040B7C7 push ebx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040B78A push FFFFFFA7h; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040A190 push edx; iretd
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_004083BB push ebx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3FD0D1 push ecx; ret
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00568ED4 push edx; retf
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00568EC5 push edx; retf
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0365D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEB3FB push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEB3F2 push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEB3A5 push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEC7A4 push dword ptr [2E33947Ah]; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEB45C push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEC547 push dword ptr [2E33947Ah]; ret

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Code function: 10_2_00562B72

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000530695 second address: 0000000000530695 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000534C11 second address: 0000000000534C11 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000535A32 second address: 0000000000535A32 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000005620CB second address: 00000000005620CB instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000005622AD second address: 00000000005688D9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push dword ptr [ebp+24h] 0x0000000d cmp al, 22h 0x0000000f call 00007F1E147FD4EAh 0x00000014 jmp 00007F1E147F706Eh 0x00000016 jmp 00007F1E147F7078h 0x00000018 call 00007F1E147F7035h 0x0000001d pop ebx 0x0000001e sub ebx, 05h 0x00000021 jmp 00007F1E147F706Eh 0x00000023 cmp ebx, edx 0x00000025 inc ebx 0x00000026 dec ebx 0x00000027 xor edx, edx 0x00000029 jmp 00007F1E147F7076h 0x0000002b cmp bh, ch 0x0000002d mov eax, ebx 0x0000002f jmp 00007F1E147F7072h 0x00000031 pushad 0x00000032 lfence 0x00000035 rdtsc

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: payment advice_mt103645367.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: payment advice_mt103645367.exe, 00000000.00000002.374597434.00000000006EA000.00000004.00000020.sdmp	Binary or memory string: 0 FILES\QEMU-GA\QEMU-GA.EXE_

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000530695 second address: 0000000000530695 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000534C11 second address: 0000000000534C11 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000535A32 second address: 0000000000535A32 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000005620CB second address: 00000000005620CB instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000005622AD second address: 00000000005688D9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push dword ptr [ebp+24h] 0x0000000d cmp al, 22h 0x0000000f call 00007F1E147FD4EAh 0x00000014 jmp 00007F1E147F706Eh 0x00000016 jmp 00007F1E147F7078h 0x00000018 call 00007F1E147F7035h 0x0000001d pop ebx 0x0000001e sub ebx, 05h 0x00000021 jmp 00007F1E147F706Eh 0x00000023 cmp ebx, edx 0x00000025 inc ebx 0x00000026 dec ebx 0x00000027 xor edx, edx 0x00000029 jmp 00007F1E147F7076h 0x0000002b cmp bh, ch 0x0000002d mov eax, ebx 0x0000002f jmp 00007F1E147F7072h 0x00000031 pushad 0x00000032 lfence 0x00000035 rdtsc
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000005627E7 second address: 00000000005688D9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push FFFFFFFFh 0x0000000d test ah, ch 0x0000000f push dword ptr [ebp+24h] 0x00000012 test bx, bx 0x00000015 call 00007F1E14BBEEBAh 0x0000001a jmp 00007F1E14BB8F7Eh 0x0000001c jmp 00007F1E14BB8F88h 0x0000001e call 00007F1E14BB8F45h 0x00000023 pop ebx 0x00000024 sub ebx, 05h 0x00000027 jmp 00007F1E14BB8F7Eh 0x00000029 cmp ebx, edx 0x0000002b inc ebx 0x0000002c dec ebx 0x0000002d xor edx, edx 0x0000002f jmp 00007F1E14BB8F86h 0x00000031 cmp bh, ch 0x00000033 mov eax, ebx 0x00000035 jmp 00007F1E14BB8F82h 0x00000037 pushad 0x00000038 lfence 0x0000003b rdtsc
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002DD85E4 second address: 0000000002DD85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002DD896E second address: 0000000002DD8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Code function: 10_2_1E3D6A60 rdtscp

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: explorer.exe, 00000010.00000000.470141246.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000000.470141246.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: payment advice_mt103645367.exe, 00000000.00000002.374597434.00000000006EA000.00000004.00000020.sdmp	Binary or memory string: 0 Files\Qemu-ga\qemu-ga.exe_
Source: explorer.exe, 00000010.00000000.469722676.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.469206322.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000010.00000000.470141246.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000010.00000000.470141246.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000010.00000002.509233796.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000010.00000000.469206322.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: payment advice_mt103645367.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000010.00000000.469206322.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000010.00000000.469206322.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Code function: 10_2_1E3D6A60 rdtscp

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Code function: 10_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E434257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E45B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E45B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E45FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4246A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E47070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E47070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E46131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4253CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4253CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E45D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E46138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E475BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E471074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E462073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E47740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E47740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E47740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E474015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E474015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4614FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E423884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E423884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E423540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E42A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4341E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E458DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4269A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4705AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4705AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00566577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00566DD1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_005639D1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00567B79 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00567B34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361F370 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361F370 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361F370 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B5A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B5A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B5A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B5A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036B23E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036B23E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036B23E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03601BE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036853CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036853CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036353C5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1BA8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03634BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03634BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03634BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D9BBE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D8BB6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036AEB8A mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036AEB8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036AEB8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036AEB8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363138B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363138B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363138B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036BD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03611B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03611B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03632397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03604B94 mov edi, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362EB9A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362EB9A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036BB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036BB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03645A69 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03645A69 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03645A69 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1A5F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03694257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03604A20 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03604A20 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03644A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03644A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03608239 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03608239 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03608239 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03618A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03623A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03632AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605AC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605AC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605AC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03632ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03603ACA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D8ADD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036012D4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03601AA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03635AA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03635AA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036052A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036052A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036052A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036052A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036052A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036312BD mov esi, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036312BD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036312BD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C129A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D8966 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CE962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1951 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360395E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360395E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03603138 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036031E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036941E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D89E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C19D8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036361A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036361A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036869A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CA189 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CA189 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03632990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03634190 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360519E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360519E mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362F86D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1843 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03620050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03620050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03607057 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03634020 mov edi, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A830 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Thread register set: target process: 3388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 9F0000

Source: C:\Windows\SysWOW64\ipconfig.exe

Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe'

Source: explorer.exe, 00000010.00000000.452065592.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000010.00000000.452314813.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000010.00000000.452314813.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.452314813.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.452314813.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Code function: 10_2_00567064 cpuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: payment advice_mt103645367.exe PID: 2440, type: MEMORY
Source: Yara match	File source: Process Memory Space: ipconfig.exe PID: 244, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection412	Virtualization/Sandbox Evasion21	Input Capture1	Security Software Discovery621	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection412	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery311	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
payment advice_mt103645367.exe	30%	Virustotal		Browse
payment advice_mt103645367.exe	19%	ReversingLabs	Win32.Packed.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
19.2.ipconfig.exe.3b17960.4.unpack	100%	Avira	TR/Dropper.Gen		Download File
19.2.ipconfig.exe.31b0840.1.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://crl.mY	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
www.healthpro.info/hwad/	1%	Virustotal		Browse
www.healthpro.info/hwad/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
googlehosted.l.googleusercontent.com	216.58.214.225	true	false		high
doc-0g-3k-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.healthpro.info/hwad/	true	1%, Virustotal, Browse Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://crl.mY	explorer.exe, 00000010.00000000.474142184.000000000F54C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.micr	explorer.exe, 00000010.00000000.474142184.000000000F54C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.214.225	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	387728
Start date:	15.04.2021
Start time:	14:59:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	payment advice_mt103645367.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@6/0@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.8% (good quality ratio 50.7%) Quality average: 76.2% Quality standard deviation: 28.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 13.64.90.137, 168.61.161.212, 40.88.32.150, 184.30.25.218, 92.122.145.220, 184.30.24.56, 8.241.89.254, 8.241.78.126, 8.252.5.126, 8.241.82.254, 67.26.137.254, 51.103.5.186, 52.147.198.201, 20.82.210.154, 216.58.207.142, 23.32.238.234, 23.32.238.177 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcoleus16.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Dobra-Dossin.html	Get hash	malicious	Browse	216.58.214.225
	#Ud83d#Udcde977.htm	Get hash	malicious	Browse	216.58.214.225
	faktura_ODfk0021.exe	Get hash	malicious	Browse	216.58.214.225
	documents-1865367136.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-1522654785.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-1988650417.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-852304211.xlsb	Get hash	malicious	Browse	216.58.214.225
	Tooligram_PRO.exe	Get hash	malicious	Browse	216.58.214.225
	documents-1884913828.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-1097636918.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-798055763.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-590513756.xlsb	Get hash	malicious	Browse	216.58.214.225
	#Ud83d#Udcde Bpost.be AudioMessage 59-20596.htm	Get hash	malicious	Browse	216.58.214.225
	VoicePlayback (01_47) for steph.miller tsbbank .html	Get hash	malicious	Browse	216.58.214.225
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse	216.58.214.225
	documents-1321106901.xlsb	Get hash	malicious	Browse	216.58.214.225
	BR-424305.htm	Get hash	malicious	Browse	216.58.214.225
	0901e76c84536f06b_2500332020005403099_0901e76c4489e546f06b_250020214405500030995.WsF	Get hash	malicious	Browse	216.58.214.225
	mail_6512365134_7863_20210413.html	Get hash	malicious	Browse	216.58.214.225
	Cocha904.htm	Get hash	malicious	Browse	216.58.214.225

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7343961403363135
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	payment advice_mt103645367.exe
File size:	159744
MD5:	e4f3fd2e517743504817b7c3e2032de3
SHA1:	b42b6607bef7562a38a55b1d74fbb6e5d91f8fcf
SHA256:	08673c97c9a0e20536ce90e162e7da11dde8d4bfc4c01cabe7d3baeafaf449e6
SHA512:	b5cfc38957afef0641a7da98b9d48a5af2f25bc06a4d33865a0204e788902f4ad1e57efb3c34a5ae970bf3fa03eeddb084707ef4fb2b97f0c3ba908c53092822
SSDEEP:	3072:E4C7pdXpYywG+8NjNo/NKaBZ2/TJdFweCs2Z1:E4uIy3+gNo/Qaz2/TJ7ZZ2Z
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W...K...W...u...W...q...W..Rich.W..........................PE..L...P.bT.................@...`...............P....@

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4017e8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5462FA50 [Wed Nov 12 06:12:32 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	66c809d2e31d4e6411dd9b96c6b12187

Entrypoint Preview

Instruction
push 004019F8h
call 00007F1E14932D45h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [9497E2F7h], bl
push es
aam 48h
mov bl, C8h
mov al, 02h
adc al, 2Ah
clc
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], cl
add edi, dword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax+72h], dl
outsd
push 00000065h
arpl word ptr [ecx+esi+00h], si
or byte ptr [ecx+00h], al
pop es
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add eax, 5A7EE253h
and dword ptr [edx+esi+7079BA49h], ebp
mov ds, word ptr [ebx]
push ebx
fiadd word ptr [esi]
sub al, 1Ah
mov eax, dword ptr [09298894h]
dec ecx
mov dh, F8h
mov dword ptr [edi], eax
xlatb
push edx
inc eax
or edi, dword ptr [edx]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add dword ptr [eax], eax
add byte ptr [ecx+00h], al
add byte ptr [eax], al
add byte ptr [ebx], cl
add byte ptr [ebx+6Fh], dl
insb
outsb
outsd
jnc 00007F1E14932DC6h
insb
add byte ptr [49000401h], cl
push edi
inc ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23b24	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0x99c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x231a0	0x24000	False	0.409518771701	data	5.9964546897	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x25000	0x460c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2a000	0x99c	0x1000	False	0.17578125	data	2.07553915929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x2a86c	0x130	data
RT_ICON	0x2a584	0x2e8	data
RT_ICON	0x2a45c	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2a42c	0x30	data
RT_VERSION	0x2a150	0x2dc	data

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaVar2Vec, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Vought
InternalName	illusive
FileVersion	1.00
CompanyName	Vought
LegalTrademarks	Vought
Comments	Vought
ProductName	Vought
ProductVersion	1.00
FileDescription	Vought
OriginalFilename	illusive.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 15:01:48.168356895 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.220633030 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.220750093 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.221540928 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.273560047 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.295789003 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.295814037 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.295831919 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.295850039 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.295896053 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.295938015 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.315543890 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.371484041 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.371601105 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.372772932 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.431608915 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649781942 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649816036 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649837971 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649858952 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649863958 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.649879932 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649899006 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.649940968 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.653405905 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.653444052 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.653563976 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.657048941 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.657087088 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.657141924 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.657183886 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.660712004 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.660753012 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.660875082 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.664372921 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.664402962 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.664524078 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.681829929 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.681978941 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.701664925 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.701687098 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.701781988 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.701817989 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.704477072 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.704499960 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.704586983 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.707109928 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.707134008 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.707227945 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.707297087 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.710812092 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.710830927 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.710927963 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.714438915 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.714457035 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.714576006 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.714641094 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.718153954 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.718182087 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.718339920 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.721776009 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.721796989 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.721900940 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.725456953 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.725483894 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.725550890 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.725589991 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.729058981 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.729087114 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.729129076 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.729165077 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.732645988 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.732671976 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.732729912 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.732772112 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.736342907 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.736368895 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.736434937 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.736515999 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.739828110 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.739869118 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.740005016 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.743393898 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.743427038 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.743531942 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.743571043 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.747034073 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.747059107 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.747467995 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.753494978 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.753664017 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.754251957 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.754268885 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.754344940 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.757025003 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.757044077 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.757096052 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.757134914 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.759288073 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.759309053 CEST	443	49727	216.58.214.225	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 14:59:50.223992109 CEST	60985	53	192.168.2.3	8.8.8.8
Apr 15, 2021 14:59:50.275547028 CEST	53	60985	8.8.8.8	192.168.2.3
Apr 15, 2021 14:59:50.700944901 CEST	50200	53	192.168.2.3	8.8.8.8
Apr 15, 2021 14:59:50.749634027 CEST	53	50200	8.8.8.8	192.168.2.3
Apr 15, 2021 14:59:57.956523895 CEST	51281	53	192.168.2.3	8.8.8.8
Apr 15, 2021 14:59:58.005604029 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 15, 2021 14:59:59.089931965 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 15, 2021 14:59:59.140396118 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:00.099673033 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:00.148986101 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:00.474462986 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:00.560848951 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:02.795656919 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:02.854532003 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:26.144355059 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:26.217221022 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:30.829837084 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:30.878803968 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:31.748425961 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:31.799906969 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:37.678035021 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:37.726777077 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:38.626868963 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:38.675662041 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:40.054747105 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:40.103447914 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:44.478383064 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:44.539751053 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:45.154844046 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:45.208651066 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:46.134192944 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:46.182929993 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:46.537659883 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:46.597878933 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:47.086628914 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:47.136672020 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:48.507581949 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:48.569495916 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:49.507448912 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:49.558820009 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:50.445417881 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:50.494185925 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 15, 2021 15:01:29.489568949 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:01:29.552762985 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 15, 2021 15:01:47.144103050 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:01:47.210453033 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 15, 2021 15:01:48.100260973 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:01:48.165354967 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 15, 2021 15:01:55.260035992 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:01:55.319075108 CEST	53	50540	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 15, 2021 15:01:48.100260973 CEST	192.168.2.3	8.8.8.8	0x7d76	Standard query (0)	doc-0g-3k-docs.googleusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 15, 2021 15:01:48.165354967 CEST	8.8.8.8	192.168.2.3	0x7d76	No error (0)	doc-0g-3k-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 15:01:48.165354967 CEST	8.8.8.8	192.168.2.3	0x7d76	No error (0)	googlehosted.l.googleusercontent.com		216.58.214.225	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 15, 2021 15:01:48.295850039 CEST	216.58.214.225	443	192.168.2.3	49727	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Mar 23 09:24:00 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Jun 15 10:23:59 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 15, 2021 15:01:48.295850039 CEST	216.58.214.225	443	192.168.2.3	49727	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: payment advice_mt103645367.exe PID: 6236 Parent PID: 5684

General

Start time:	15:00:05
Start date:	15/04/2021
Path:	C:\Users\user\Desktop\payment advice_mt103645367.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Imagebase:	0x400000
File size:	159744 bytes
MD5 hash:	E4F3FD2E517743504817B7C3E2032DE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: payment advice_mt103645367.exe PID: 2440 Parent PID: 6236

General

Start time:	15:01:14
Start date:	15/04/2021
Path:	C:\Users\user\Desktop\payment advice_mt103645367.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Imagebase:	0x400000
File size:	159744 bytes
MD5 hash:	E4F3FD2E517743504817B7C3E2032DE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3388 Parent PID: 2440

General

Start time:	15:01:50
Start date:	15/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: ipconfig.exe PID: 244 Parent PID: 3388

General

Start time:	15:02:03
Start date:	15/04/2021
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\ipconfig.exe
Imagebase:	0x9f0000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000013.00000002.495667904.00000000031B0000.00000004.00000020.sdmp, Author: Florian Roth
Reputation:	moderate

Analysis Process: cmd.exe PID: 4856 Parent PID: 244

General

Start time:	15:02:07
Start date:	15/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Imagebase:	0x9a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 1564 Parent PID: 4856

General

Start time:	15:02:08
Start date:	15/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report payment advice_mt103645367.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets