Loading ...

Play interactive tourEdit tour

Windows Analysis Report Payment_Advice.exe

Overview

General Information

Sample Name:Payment_Advice.exe
Analysis ID:458954
MD5:b5a3a16559c14a2db6837fb8792134ae
SHA1:31280391b1a399a3bc1c8ea0f4fb27e2dc9e56a0
SHA256:c8ff043caee4e9cc889d1b7f8149e5c59ec43d2d01edeb49cb40fe1fd09a233a
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment_Advice.exe (PID: 2648 cmdline: 'C:\Users\user\Desktop\Payment_Advice.exe' MD5: B5A3A16559C14A2DB6837FB8792134AE)
    • RegSvcs.exe (PID: 1156 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • cmd.exe (PID: 2288 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5756 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 2344 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 1156 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.illoftapartments.com/uecu/"], "decoy": ["ishtarhotel.com", "woodstrends.icu", "jalenowens.com", "manno.expert", "ssg1asia.com", "telepathylaw.com", "quickoprintnv.com", "abrosnm3.com", "lumberjackcatering.com", "beachujamaica.com", "thomasjeffersonbyrd.com", "starryfinds.com", "shelavish2.com", "royalglamempirellc.com", "deixandomeuemprego.com", "alexgoestech.xyz", "opticamn.com", "fermanchevybrandon.com", "milbodegas.info", "adunarsrl.com", "dataatlus.com", "missabrams.com", "beaconservicesuk.com", "tvforpc.website", "dipmarketingagency.com", "milsontt.com", "londonsashwindowsservices.com", "feedmysheepdaily.com", "firsttimephysics.com", "hosefire.com", "southdocknj.com", "idfstool.com", "drelip.com", "decayette.com", "awakenedgodsofbeauty.com", "easttexasranch.com", "risinglanka.com", "meetingoffices.com", "vase-composition.com", "kupon.asia", "alltimeselfstorage.com", "gatorbrewcoffee.com", "api-pay-agent.com", "height-project.online", "flbtyc638.com", "psdmoravita.com", "highbrowhairstudio.com", "deepblueriver.com", "yh22022.com", "sts-100.com", "michaelfmoore.com", "alzheimers.computer", "produtos-servicos.website", "zyuyktlcu.icu", "ezewasser.com", "outstanding-palisade.com", "saioura.com", "core.run", "allaboutlifeblog.com", "foodolog.net", "somerderm.com", "scootrlv.com", "ahjjbxg.com", "gasworldchampionships.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        12.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        12.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        12.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          12.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', CommandLine: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: {path}, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 1156, ProcessCommandLine: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', ProcessId: 2288

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.illoftapartments.com/uecu/"], "decoy": ["ishtarhotel.com", "woodstrends.icu", "jalenowens.com", "manno.expert", "ssg1asia.com", "telepathylaw.com", "quickoprintnv.com", "abrosnm3.com", "lumberjackcatering.com", "beachujamaica.com", "thomasjeffersonbyrd.com", "starryfinds.com", "shelavish2.com", "royalglamempirellc.com", "deixandomeuemprego.com", "alexgoestech.xyz", "opticamn.com", "fermanchevybrandon.com", "milbodegas.info", "adunarsrl.com", "dataatlus.com", "missabrams.com", "beaconservicesuk.com", "tvforpc.website", "dipmarketingagency.com", "milsontt.com", "londonsashwindowsservices.com", "feedmysheepdaily.com", "firsttimephysics.com", "hosefire.com", "southdocknj.com", "idfstool.com", "drelip.com", "decayette.com", "awakenedgodsofbeauty.com", "easttexasranch.com", "risinglanka.com", "meetingoffices.com", "vase-composition.com", "kupon.asia", "alltimeselfstorage.com", "gatorbrewcoffee.com", "api-pay-agent.com", "height-project.online", "flbtyc638.com", "psdmoravita.com", "highbrowhairstudio.com", "deepblueriver.com", "yh22022.com", "sts-100.com", "michaelfmoore.com", "alzheimers.computer", "produtos-servicos.website", "zyuyktlcu.icu", "ezewasser.com", "outstanding-palisade.com", "saioura.com", "core.run", "allaboutlifeblog.com", "foodolog.net", "somerderm.com", "scootrlv.com", "ahjjbxg.com", "gasworldchampionships.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Payment_Advice.exeVirustotal: Detection: 42%Perma Link
          Source: Payment_Advice.exeMetadefender: Detection: 40%Perma Link
          Source: Payment_Advice.exeReversingLabs: Detection: 85%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Payment_Advice.exeJoe Sandbox ML: detected
          Source: 12.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Payment_Advice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Payment_Advice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: colorcpl.pdbGCTL source: RegSvcs.exe, 0000000C.00000002.356567151.0000000000B78000.00000004.00000020.sdmp
          Source: Binary string: colorcpl.pdb source: RegSvcs.exe, 0000000C.00000002.356567151.0000000000B78000.00000004.00000020.sdmp
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000010.00000000.328016428.000000000F6F8000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.327085118.000000000EFC0000.00000002.00000001.sdmp
          Source: Binary string: RegSvcs.pdb, source: colorcpl.exe, 00000015.00000002.477075161.0000000004B67000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000C.00000002.357013841.0000000000FB0000.00000040.00000001.sdmp, colorcpl.exe, 00000015.00000002.471806591.0000000004630000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, colorcpl.exe
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000010.00000000.328016428.000000000F6F8000.00000004.00000001.sdmp
          Source: Binary string: RegSvcs.pdb source: colorcpl.exe, 00000015.00000002.477075161.0000000004B67000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.327085118.000000000EFC0000.00000002.00000001.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 154.23.83.67:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 154.23.83.67:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 154.23.83.67:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.illoftapartments.com/uecu/
          Source: global trafficHTTP traffic detected: GET /uecu/?fXJ=z64Txz&2d3pCdLh=s7j1QsnOxn4iRchbaINLVToxitdCMGa8G3lQ/6LX9JGbR/ScT5dxpPHG5+tB2xnbOyUI HTTP/1.1Host: www.dipmarketingagency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uecu/?2d3pCdLh=I+cFmvzvjfujRN3oltevYzRyUOJqDj5YxiqkJ4i7Zjmur1++tOYpTWGX3hXOvnB+KlCx&fXJ=z64Txz HTTP/1.1Host: www.illoftapartments.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uecu/?fXJ=z64Txz&2d3pCdLh=u60vTBsF9oPaXHkJdoxCc4Kqv5IVcROu1QUUkePEY82yQrKo/wvecAMYDl3vDcEzgvnI HTTP/1.1Host: www.manno.expertConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uecu/?2d3pCdLh=hr7+JRYyT1HVyDshWD8v/2ivT/o36mEBRVmbpvRN6jTQqfRWnpyet8LANEukLjLgYMOr&fXJ=z64Txz HTTP/1.1Host: www.firsttimephysics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /uecu/?fXJ=z64Txz&2d3pCdLh=s7j1QsnOxn4iRchbaINLVToxitdCMGa8G3lQ/6LX9JGbR/ScT5dxpPHG5+tB2xnbOyUI HTTP/1.1Host: www.dipmarketingagency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uecu/?2d3pCdLh=I+cFmvzvjfujRN3oltevYzRyUOJqDj5YxiqkJ4i7Zjmur1++tOYpTWGX3hXOvnB+KlCx&fXJ=z64Txz HTTP/1.1Host: www.illoftapartments.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uecu/?fXJ=z64Txz&2d3pCdLh=u60vTBsF9oPaXHkJdoxCc4Kqv5IVcROu1QUUkePEY82yQrKo/wvecAMYDl3vDcEzgvnI HTTP/1.1Host: www.manno.expertConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uecu/?2d3pCdLh=hr7+JRYyT1HVyDshWD8v/2ivT/o36mEBRVmbpvRN6jTQqfRWnpyet8LANEukLjLgYMOr&fXJ=z64Txz HTTP/1.1Host: www.firsttimephysics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.dipmarketingagency.com
          Source: explorer.exe, 00000010.00000000.320127365.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: colorcpl.exe, 00000015.00000002.477463431.0000000004CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.arifureta-shokugyou-de-sekai-saikyou.com?fXJ=z64Txz&2d3pCdLh=euCGN8RtrYk2s603FqWaeKSKafFu
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Payment_Advice.exe, 00000000.00000002.290884369.0000000001867000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comamM
          Source: Payment_Advice.exe, 00000000.00000002.290884369.0000000001867000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comepko
          Source: Payment_Advice.exe, 00000000.00000002.290884369.0000000001867000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm%M
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: Payment_Advice.exe, ImageSilder/Transitions/Star.csLong String: Length: 24686
          Source: 0.2.Payment_Advice.exe.d30000.0.unpack, ImageSilder/Transitions/Star.csLong String: Length: 24686
          Source: 0.0.Payment_Advice.exe.d30000.0.unpack, ImageSilder/Transitions/Star.csLong String: Length: 24686
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Payment_Advice.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004181D0 NtCreateFile,12_2_004181D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00418280 NtReadFile,12_2_00418280
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00418300 NtClose,12_2_00418300
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004183B0 NtAllocateVirtualMemory,12_2_004183B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004181CA NtCreateFile,12_2_004181CA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041827A NtReadFile,12_2_0041827A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00418222 NtReadFile,12_2_00418222
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004183AA NtAllocateVirtualMemory,12_2_004183AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_01019910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010199A0 NtCreateSection,LdrInitializeThunk,12_2_010199A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019840 NtDelayExecution,LdrInitializeThunk,12_2_01019840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019860 NtQuerySystemInformation,LdrInitializeThunk,12_2_01019860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010198F0 NtReadVirtualMemory,LdrInitializeThunk,12_2_010198F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019A00 NtProtectVirtualMemory,LdrInitializeThunk,12_2_01019A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019A20 NtResumeThread,LdrInitializeThunk,12_2_01019A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019A50 NtCreateFile,LdrInitializeThunk,12_2_01019A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019540 NtReadFile,LdrInitializeThunk,12_2_01019540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010195D0 NtClose,LdrInitializeThunk,12_2_010195D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019710 NtQueryInformationToken,LdrInitializeThunk,12_2_01019710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019780 NtMapViewOfSection,LdrInitializeThunk,12_2_01019780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010197A0 NtUnmapViewOfSection,LdrInitializeThunk,12_2_010197A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019FE0 NtCreateMutant,LdrInitializeThunk,12_2_01019FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_01019660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010196E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_010196E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019950 NtQueueApcThread,12_2_01019950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010199D0 NtCreateProcessEx,12_2_010199D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019820 NtEnumerateKey,12_2_01019820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0101B040 NtSuspendThread,12_2_0101B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010198A0 NtWriteVirtualMemory,12_2_010198A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019B00 NtSetValueKey,12_2_01019B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0101A3B0 NtGetContextThread,12_2_0101A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019A10 NtQuerySection,12_2_01019A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019A80 NtOpenDirectoryObject,12_2_01019A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019520 NtWaitForSingleObject,12_2_01019520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0101AD30 NtSetContextThread,12_2_0101AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019560 NtWriteFile,12_2_01019560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010195F0 NtQueryInformationFile,12_2_010195F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0101A710 NtOpenProcessToken,12_2_0101A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019730 NtQueryVirtualMemory,12_2_01019730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019760 NtOpenProcess,12_2_01019760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019770 NtSetInformationFile,12_2_01019770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0101A770 NtOpenThread,12_2_0101A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019610 NtEnumerateValueKey,12_2_01019610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019650 NtQueryValueKey,12_2_01019650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01019670 NtQueryInformationProcess,12_2_01019670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010196D0 NtCreateKey,12_2_010196D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699540 NtReadFile,LdrInitializeThunk,21_2_04699540
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046995D0 NtClose,LdrInitializeThunk,21_2_046995D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699660 NtAllocateVirtualMemory,LdrInitializeThunk,21_2_04699660
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699650 NtQueryValueKey,LdrInitializeThunk,21_2_04699650
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046996E0 NtFreeVirtualMemory,LdrInitializeThunk,21_2_046996E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046996D0 NtCreateKey,LdrInitializeThunk,21_2_046996D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699710 NtQueryInformationToken,LdrInitializeThunk,21_2_04699710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699FE0 NtCreateMutant,LdrInitializeThunk,21_2_04699FE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699780 NtMapViewOfSection,LdrInitializeThunk,21_2_04699780
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699860 NtQuerySystemInformation,LdrInitializeThunk,21_2_04699860
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699840 NtDelayExecution,LdrInitializeThunk,21_2_04699840
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699910 NtAdjustPrivilegesToken,LdrInitializeThunk,21_2_04699910
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046999A0 NtCreateSection,LdrInitializeThunk,21_2_046999A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699A50 NtCreateFile,LdrInitializeThunk,21_2_04699A50
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699560 NtWriteFile,21_2_04699560
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699520 NtWaitForSingleObject,21_2_04699520
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0469AD30 NtSetContextThread,21_2_0469AD30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046995F0 NtQueryInformationFile,21_2_046995F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699670 NtQueryInformationProcess,21_2_04699670
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699610 NtEnumerateValueKey,21_2_04699610
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699760 NtOpenProcess,21_2_04699760
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0469A770 NtOpenThread,21_2_0469A770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699770 NtSetInformationFile,21_2_04699770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699730 NtQueryVirtualMemory,21_2_04699730
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0469A710 NtOpenProcessToken,21_2_0469A710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046997A0 NtUnmapViewOfSection,21_2_046997A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0469B040 NtSuspendThread,21_2_0469B040
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699820 NtEnumerateKey,21_2_04699820
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046998F0 NtReadVirtualMemory,21_2_046998F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046998A0 NtWriteVirtualMemory,21_2_046998A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699950 NtQueueApcThread,21_2_04699950
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046999D0 NtCreateProcessEx,21_2_046999D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699A20 NtResumeThread,21_2_04699A20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699A00 NtProtectVirtualMemory,21_2_04699A00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699A10 NtQuerySection,21_2_04699A10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699A80 NtOpenDirectoryObject,21_2_04699A80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04699B00 NtSetValueKey,21_2_04699B00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0469A3B0 NtGetContextThread,21_2_0469A3B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025C8280 NtReadFile,21_2_025C8280
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025C8300 NtClose,21_2_025C8300
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025C83B0 NtAllocateVirtualMemory,21_2_025C83B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025C81D0 NtCreateFile,21_2_025C81D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025C827A NtReadFile,21_2_025C827A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025C8222 NtReadFile,21_2_025C8222
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025C83AA NtAllocateVirtualMemory,21_2_025C83AA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025C81CA NtCreateFile,21_2_025C81CA
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_00D366650_2_00D36665
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0300C1D40_2_0300C1D4
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0300E6200_2_0300E620
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0300E6300_2_0300E630
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A26680_2_078A2668
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A840E0_2_078A840E
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A3B400_2_078A3B40
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A93590_2_078A9359
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A71A00_2_078A71A0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A68B00_2_078A68B0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A16B00_2_078A16B0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A16C00_2_078A16C0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A26670_2_078A2667
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A25A80_2_078A25A8
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A0DB00_2_078A0DB0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A0DC00_2_078A0DC0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A45480_2_078A4548
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A45580_2_078A4558
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078AAC910_2_078AAC91
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A740C0_2_078A740C
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A14590_2_078A1459
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A14680_2_078A1468
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A4BB90_2_078A4BB9
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A73C00_2_078A73C0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A4BD00_2_078A4BD0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A1B090_2_078A1B09
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A1B180_2_078A1B18
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A6B180_2_078A6B18
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A6B170_2_078A6B17
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A3B3F0_2_078A3B3F
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A32300_2_078A3230
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A42680_2_078A4268
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A42670_2_078A4267
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A71920_2_078A7192
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A31DD0_2_078A31DD
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A01E00_2_078A01E0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A01F00_2_078A01F0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A19410_2_078A1941
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A19500_2_078A1950
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A68A00_2_078A68A0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A10B00_2_078A10B0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A10C00_2_078A10C0
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_078A68580_2_078A6858
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0040103012_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041B9A512_2_0041B9A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041CB4012_2_0041CB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041CB4312_2_0041CB43
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041C3DB12_2_0041C3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00408C6B12_2_00408C6B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00408C7012_2_00408C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00402D8812_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00402D9012_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041B67B12_2_0041B67B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041C75A12_2_0041C75A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00402FB012_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00FEB09012_2_00FEB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00FFA83012_2_00FFA830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0109100212_2_01091002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010AE82412_2_010AE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010020A012_2_010020A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010A20A812_2_010A20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00FF412012_2_00FF4120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010A28EC12_2_010A28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00FDF90012_2_00FDF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010A2B2812_2_010A2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0100EBB012_2_0100EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010903DA12_2_010903DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0109DBD212_2_0109DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0108FA2B12_2_0108FA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010A22AE12_2_010A22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00FFAB4012_2_00FFAB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010A2D0712_2_010A2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010A1D5512_2_010A1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0100258112_2_01002581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010A25DD12_2_010A25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00FE841F12_2_00FE841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00FED5E012_2_00FED5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0109D46612_2_0109D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00FD0D2012_2_00FD0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010ADFCE12_2_010ADFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00FF6E3012_2_00FF6E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010A1FF112_2_010A1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0109D61612_2_0109D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_010A2EF712_2_010A2EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0467B47721_2_0467B477
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0471D46621_2_0471D466
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0466841F21_2_0466841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0471449621_2_04714496
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04721D5521_2_04721D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04650D2021_2_04650D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04722D0721_2_04722D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0466D5E021_2_0466D5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047225DD21_2_047225DD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0468258121_2_04682581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04712D8221_2_04712D82
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04676E3021_2_04676E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0471D61621_2_0471D616
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04722EF721_2_04722EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04721FF121_2_04721FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0472DFCE21_2_0472DFCE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0472E82421_2_0472E824
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0467A83021_2_0467A830
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0471100221_2_04711002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047228EC21_2_047228EC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046820A021_2_046820A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047220A821_2_047220A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0466B09021_2_0466B090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0467412021_2_04674120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0465F90021_2_0465F900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046799BF21_2_046799BF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0467B23621_2_0467B236
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0470FA2B21_2_0470FA2B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04714AEF21_2_04714AEF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047222AE21_2_047222AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_046FCB4F21_2_046FCB4F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0467AB4021_2_0467AB40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04722B2821_2_04722B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0467A30921_2_0467A309
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047023E321_2_047023E3
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0471DBD221_2_0471DBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047103DA21_2_047103DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0468ABD821_2_0468ABD8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0468EBB021_2_0468EBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0468138B21_2_0468138B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025CCB4021_2_025CCB40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025CCB4321_2_025CCB43
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025CB9A521_2_025CB9A5
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025CB67B21_2_025CB67B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025CC75A21_2_025CC75A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025B2FB021_2_025B2FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025B8C7021_2_025B8C70
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025B8C6B21_2_025B8C6B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025B2D9021_2_025B2D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_025B2D8821_2_025B2D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00FDB150 appears 54 times
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 0465B150 appears 136 times
          Source: Payment_Advice.exe, 00000000.00000002.301380501.0000000007950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Payment_Advice.exe
          Source: Payment_Advice.exe, 00000000.00000000.202669045.0000000000E0A000.00000002.00020000.sdmpBinary or memory string: OriginalFilename0YuzGcFX.exe< vs Payment_Advice.exe
          Source: Payment_Advice.exe, 00000000.00000002.301164733.0000000007600000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Payment_Advice.exe
          Source: Payment_Advice.exeBinary or memory string: OriginalFilename0YuzGcFX.exe< vs Payment_Advice.exe
          Source: Payment_Advice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook