Windows Analysis Report New order payment.exe

AV Detection:

Found malware configuration

Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.crisisinterventionadvocates.com/u9xn/"], "decoy": ["lifeguardingcoursenearme.com", "bolsaspapelcdmx.com", "parsleypkllqu.xyz", "68134.online", "shopthatlookboutique.com", "canlibahisportal.com", "oligopoly.city", "srchwithus.online", "151motors.com", "17yue.info", "auntmarysnj.com", "hanansalman.com", "heyunshangcheng.info", "doorslamersplus.com", "sfcn-dng.com", "highvizpeople.com", "seoexpertinbangladesh.com", "christinegagnonjewellery.com", "artifactorie.biz", "mre3.net", "webbyteanalysis.online", "medicmir.store", "shdxh.com", "salvationshippingsecurity.com", "michita.xyz", "itskosi.com", "aligncoachingconsulting.com", "cryptorickclub.art", "cyliamartisbackup.com", "ttemola.com", "mujeresenfarmalatam.com", "mykombuchafactory.com", "irasutoya-ryou.com", "envtmyouliqy.mobi", "expert-rse.com", "oddanimalsink.com", "piezoelectricenergy.com", "itservices-india.com", "wintwiin.com", "umgaleloacademy.com", "everythangbutwhite.com", "ishhs.xyz", "brandsofcannabis.com", "sculptingstones.com", "hilldetailingllc.com", "stone-project.net", "rbrituelbeaute.com", "atzoom.store", "pronogtiki.store", "baybeg.com", "b148tlrfee9evtvorgm5947.com", "msjanej.com", "western-overseas.info", "sharpecommunications.com", "atlantahomesforcarguys.com", "neosudo.com", "blulacedefense.com", "profilecolombia.com", "blacksaltspain.com", "sejiw3.xyz", "saint444.com", "getoken.net", "joycegsy.com", "fezora.xyz"]}

Yara detected FormBook

Source: Yara match	File source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.sejiw3.xyz/u9xn/?EvGDLnJ=Mi491nAN/W8j69kCQou8To2ktmeGxZt9RYONiJPW2rEgEezOpzjOfOleU2kzp5ym9Hqq&5j=0BKPgh7X4n

Avira URL Cloud: Label: phishing

Machine Learning detection for sample

Source: New order payment.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.0.New order payment.exe.400000.3.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 1.0.New order payment.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 1.2.New order payment.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.New order payment.exe.400000.2.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 1.0.New order payment.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.svchost.exe.3015000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.New order payment.exe.400000.1.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 1.1.New order payment.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.New order payment.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.New order payment.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.svchost.exe.3d3796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.New order payment.exe.f020000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: New order payment.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: New order payment.exe, 00000000.00000003.242757682.000000000F1F0000.00000004.00000001.sdmp, New order payment.exe, 00000001.00000003.244051355.0000000000630000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.503827179.000000000391F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: New order payment.exe, svchost.exe
Source:	Binary string: svchost.pdb source: New order payment.exe, 00000001.00000002.301223099.00000000026E0000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: New order payment.exe, 00000001.00000002.301223099.00000000026E0000.00000040.00020000.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_00405E93 FindFirstFileA,FindClose,		0_2_00405E93
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_004054BD
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_00402671 FindFirstFileA,		0_2_00402671

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\New order payment.exe	Code function: 4x nop then pop ebx		1_2_00406AB4
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 4x nop then pop ebx		1_1_00406AB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop ebx		14_2_02D96AB5

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 51.210.240.92:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 51.210.240.92:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 51.210.240.92:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49791 -> 74.208.236.134:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49791 -> 74.208.236.134:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49791 -> 74.208.236.134:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49798 -> 35.241.55.103:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49798 -> 35.241.55.103:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49798 -> 35.241.55.103:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49800 -> 52.210.179.84:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49800 -> 52.210.179.84:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49800 -> 52.210.179.84:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.hanansalman.com
Source: C:\Windows\explorer.exe	Domain query: www.sejiw3.xyz
Source: C:\Windows\explorer.exe	Domain query: www.crisisinterventionadvocates.com
Source: C:\Windows\explorer.exe	Network Connect: 137.184.31.35 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.srchwithus.online
Source: C:\Windows\explorer.exe	Domain query: www.heyunshangcheng.info
Source: C:\Windows\explorer.exe	Network Connect: 51.210.240.92 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.134 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.67.234.155 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.241.55.103 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.christinegagnonjewellery.com
Source: C:\Windows\explorer.exe	Domain query: www.mykombuchafactory.com
Source: C:\Windows\explorer.exe	Domain query: www.itskosi.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.salvationshippingsecurity.com
Source: C:\Windows\explorer.exe	Domain query: www.sfcn-dng.com
Source: C:\Windows\explorer.exe	Domain query: www.umgaleloacademy.com

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.sejiw3.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.crisisinterventionadvocates.com/u9xn/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: PANDGUS PANDGUS
Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=eYxsMd5wljUn1Fg6115NyaMNAPOWoN8Xbg1oh/XArMcWaLbikdCkMKkIXUVVkDc1SuQ5&5j=0BKPgh7X4n HTTP/1.1Host: www.salvationshippingsecurity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=RrR08BH4oIo+gx361vOF46QRRg434M3aJQMobyGncW6ZpM1n/iVBy8ajhiKV3UdnqaZn&5j=0BKPgh7X4n HTTP/1.1Host: www.heyunshangcheng.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&5j=0BKPgh7X4n HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=Js+sgmRaIVUq7qFzsJAJ+9AXXLZC0X79cc7qqoZBkLaFxYs1smoq8VOLmQUttipLhfLz&5j=0BKPgh7X4n HTTP/1.1Host: www.srchwithus.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&5j=0BKPgh7X4n HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=Mi491nAN/W8j69kCQou8To2ktmeGxZt9RYONiJPW2rEgEezOpzjOfOleU2kzp5ym9Hqq&5j=0BKPgh7X4n HTTP/1.1Host: www.sejiw3.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=FQ+FDzcRNFqTHDas5QzX/ZxEACq3iyWpSRLff56TNweY9Uo4XxUeKhcbnwpchSkctfqz&5j=0BKPgh7X4n HTTP/1.1Host: www.hanansalman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 160.153.136.3 160.153.136.3

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 27 Oct 2021 14:20:27 GMTContent-Type: text/htmlContent-Length: 275ETag: "61704c6b-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Wed, 27 Oct 2021 14:20:38 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>

URLs found in memory or binary data

Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmp	String found in binary or memory: http://181ue.com/sq.html?entry=
Source: New order payment.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: New order payment.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmp	String found in binary or memory: https://pre-mpnewyear.uc.cn/iceberg/page/log?domain=
Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmp	String found in binary or memory: https://track.uc.cn/collect

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.salvationshippingsecurity.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=eYxsMd5wljUn1Fg6115NyaMNAPOWoN8Xbg1oh/XArMcWaLbikdCkMKkIXUVVkDc1SuQ5&5j=0BKPgh7X4n HTTP/1.1Host: www.salvationshippingsecurity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=RrR08BH4oIo+gx361vOF46QRRg434M3aJQMobyGncW6ZpM1n/iVBy8ajhiKV3UdnqaZn&5j=0BKPgh7X4n HTTP/1.1Host: www.heyunshangcheng.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&5j=0BKPgh7X4n HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=Js+sgmRaIVUq7qFzsJAJ+9AXXLZC0X79cc7qqoZBkLaFxYs1smoq8VOLmQUttipLhfLz&5j=0BKPgh7X4n HTTP/1.1Host: www.srchwithus.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&5j=0BKPgh7X4n HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=Mi491nAN/W8j69kCQou8To2ktmeGxZt9RYONiJPW2rEgEezOpzjOfOleU2kzp5ym9Hqq&5j=0BKPgh7X4n HTTP/1.1Host: www.sejiw3.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /u9xn/?EvGDLnJ=FQ+FDzcRNFqTHDas5QzX/ZxEACq3iyWpSRLff56TNweY9Uo4XxUeKhcbnwpchSkctfqz&5j=0BKPgh7X4n HTTP/1.1Host: www.hanansalman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: New order payment.exe, 00000000.00000002.244197590.000000000074A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\New order payment.exe

Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FC2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New order payment.exe

Executable has a suspicious name (potential lure to open the executable)

Source: New order payment.exe

Static file information: Suspicious name

Uses 32bit PE files

Source: New order payment.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\New order payment.exe

Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030FB

Detected potential crypto function

Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_004047D3		0_2_004047D3
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_004061D4		0_2_004061D4
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_73223070		0_2_73223070
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_732230BA		0_2_732230BA
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00401030		1_2_00401030
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041D0F5		1_2_0041D0F5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041C0FC		1_2_0041C0FC
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041B8B6		1_2_0041B8B6
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041C985		1_2_0041C985
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041C3AF		1_2_0041C3AF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00408C6B		1_2_00408C6B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00408C70		1_2_00408C70
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041BD45		1_2_0041BD45
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00402D90		1_2_00402D90
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041A6B6		1_2_0041A6B6
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00402FB0		1_2_00402FB0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099B090		1_2_0099B090
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A520A8		1_2_00A520A8
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B20A0		1_2_009B20A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A528EC		1_2_00A528EC
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A5E824		1_2_00A5E824
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41002		1_2_00A41002
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA830		1_2_009AA830
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098F900		1_2_0098F900
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A4120		1_2_009A4120
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A522AE		1_2_00A522AE
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A3FA2B		1_2_00A3FA2B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BEBB0		1_2_009BEBB0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BABD8		1_2_009BABD8
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4DBD2		1_2_00A4DBD2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A403DA		1_2_00A403DA
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A52B28		1_2_00A52B28
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AAB40		1_2_009AAB40
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099841F		1_2_0099841F
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4D466		1_2_00A4D466
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B2581		1_2_009B2581
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A525DD		1_2_00A525DD
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099D5E0		1_2_0099D5E0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A52D07		1_2_00A52D07
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00980D20		1_2_00980D20
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A51D55		1_2_00A51D55
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A52EF7		1_2_00A52EF7
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A6E30		1_2_009A6E30
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4D616		1_2_00A4D616
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A51FF1		1_2_00A51FF1
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A5DFCE		1_2_00A5DFCE
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_00401030		1_1_00401030
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041D0F5		1_1_0041D0F5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041C0FC		1_1_0041C0FC
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041B8B6		1_1_0041B8B6
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041C985		1_1_0041C985
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041C3AF		1_1_0041C3AF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_00408C6B		1_1_00408C6B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_00408C70		1_1_00408C70
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041BD45		1_1_0041BD45
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_00402D90		1_1_00402D90
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041A6B6		1_1_0041A6B6
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_00402FB0		1_1_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0385EBB0		14_2_0385EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E03DA		14_2_038E03DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038EDBD2		14_2_038EDBD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0385ABD8		14_2_0385ABD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038D23E3		14_2_038D23E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F2B28		14_2_038F2B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384AB40		14_2_0384AB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F22AE		14_2_038F22AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038DFA2B		14_2_038DFA2B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382F900		14_2_0382F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03844120		14_2_03844120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0383B090		14_2_0383B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038520A0		14_2_038520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F20A8		14_2_038F20A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F28EC		14_2_038F28EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E1002		14_2_038E1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038FE824		14_2_038FE824
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A830		14_2_0384A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038FDFCE		14_2_038FDFCE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F1FF1		14_2_038F1FF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F2EF7		14_2_038F2EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038ED616		14_2_038ED616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03846E30		14_2_03846E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03852581		14_2_03852581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F25DD		14_2_038F25DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0383D5E0		14_2_0383D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F2D07		14_2_038F2D07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03820D20		14_2_03820D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F1D55		14_2_038F1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0383841F		14_2_0383841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038ED466		14_2_038ED466
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DAD0F5		14_2_02DAD0F5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DAB8B6		14_2_02DAB8B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DAC985		14_2_02DAC985
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DAA6B6		14_2_02DAA6B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02D92FB0		14_2_02D92FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02D98C70		14_2_02D98C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02D98C6B		14_2_02D98C6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02D92D90		14_2_02D92D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DABD45		14_2_02DABD45

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B150 appears 107 times
Source: C:\Users\user\Desktop\New order payment.exe	Code function: String function: 0098B150 appears 87 times
Source: C:\Users\user\Desktop\New order payment.exe	Code function: String function: 0041A380 appears 38 times
Source: C:\Users\user\Desktop\New order payment.exe	Code function: String function: 0041A4B0 appears 38 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_004185D0 NtCreateFile,		1_2_004185D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00418680 NtReadFile,		1_2_00418680
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00418700 NtClose,		1_2_00418700
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_004187B0 NtAllocateVirtualMemory,		1_2_004187B0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_004185CA NtCreateFile,		1_2_004185CA
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041867A NtReadFile,		1_2_0041867A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_004186FB NtClose,		1_2_004186FB
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C98F0 NtReadVirtualMemory,LdrInitializeThunk,		1_2_009C98F0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9840 NtDelayExecution,LdrInitializeThunk,		1_2_009C9840
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9860 NtQuerySystemInformation,LdrInitializeThunk,		1_2_009C9860
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C99A0 NtCreateSection,LdrInitializeThunk,		1_2_009C99A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		1_2_009C9910
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9A00 NtProtectVirtualMemory,LdrInitializeThunk,		1_2_009C9A00
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9A20 NtResumeThread,LdrInitializeThunk,		1_2_009C9A20
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9A50 NtCreateFile,LdrInitializeThunk,		1_2_009C9A50
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C95D0 NtClose,LdrInitializeThunk,		1_2_009C95D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9540 NtReadFile,LdrInitializeThunk,		1_2_009C9540
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C96E0 NtFreeVirtualMemory,LdrInitializeThunk,		1_2_009C96E0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9660 NtAllocateVirtualMemory,LdrInitializeThunk,		1_2_009C9660
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9780 NtMapViewOfSection,LdrInitializeThunk,		1_2_009C9780
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C97A0 NtUnmapViewOfSection,LdrInitializeThunk,		1_2_009C97A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9FE0 NtCreateMutant,LdrInitializeThunk,		1_2_009C9FE0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9710 NtQueryInformationToken,LdrInitializeThunk,		1_2_009C9710
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C98A0 NtWriteVirtualMemory,		1_2_009C98A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9820 NtEnumerateKey,		1_2_009C9820
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009CB040 NtSuspendThread,		1_2_009CB040
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C99D0 NtCreateProcessEx,		1_2_009C99D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9950 NtQueueApcThread,		1_2_009C9950
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9A80 NtOpenDirectoryObject,		1_2_009C9A80
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9A10 NtQuerySection,		1_2_009C9A10
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009CA3B0 NtGetContextThread,		1_2_009CA3B0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9B00 NtSetValueKey,		1_2_009C9B00
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C95F0 NtQueryInformationFile,		1_2_009C95F0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009CAD30 NtSetContextThread,		1_2_009CAD30
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9520 NtWaitForSingleObject,		1_2_009C9520
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9560 NtWriteFile,		1_2_009C9560
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C96D0 NtCreateKey,		1_2_009C96D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9610 NtEnumerateValueKey,		1_2_009C9610
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9650 NtQueryValueKey,		1_2_009C9650
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9670 NtQueryInformationProcess,		1_2_009C9670
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009CA710 NtOpenProcessToken,		1_2_009CA710
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9730 NtQueryVirtualMemory,		1_2_009C9730
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9770 NtSetInformationFile,		1_2_009C9770
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009CA770 NtOpenThread,		1_2_009CA770
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C9760 NtOpenProcess,		1_2_009C9760
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_004185D0 NtCreateFile,		1_1_004185D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_00418680 NtReadFile,		1_1_00418680
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_00418700 NtClose,		1_1_00418700
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_004187B0 NtAllocateVirtualMemory,		1_1_004187B0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_004185CA NtCreateFile,		1_1_004185CA
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041867A NtReadFile,		1_1_0041867A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_004186FB NtClose,		1_1_004186FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869A50 NtCreateFile,LdrInitializeThunk,		14_2_03869A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038699A0 NtCreateSection,LdrInitializeThunk,		14_2_038699A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869910 NtAdjustPrivilegesToken,LdrInitializeThunk,		14_2_03869910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869840 NtDelayExecution,LdrInitializeThunk,		14_2_03869840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869860 NtQuerySystemInformation,LdrInitializeThunk,		14_2_03869860
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869780 NtMapViewOfSection,LdrInitializeThunk,		14_2_03869780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869FE0 NtCreateMutant,LdrInitializeThunk,		14_2_03869FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869710 NtQueryInformationToken,LdrInitializeThunk,		14_2_03869710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038696D0 NtCreateKey,LdrInitializeThunk,		14_2_038696D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038696E0 NtFreeVirtualMemory,LdrInitializeThunk,		14_2_038696E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869650 NtQueryValueKey,LdrInitializeThunk,		14_2_03869650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869660 NtAllocateVirtualMemory,LdrInitializeThunk,		14_2_03869660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038695D0 NtClose,LdrInitializeThunk,		14_2_038695D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869540 NtReadFile,LdrInitializeThunk,		14_2_03869540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0386A3B0 NtGetContextThread,		14_2_0386A3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869B00 NtSetValueKey,		14_2_03869B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869A80 NtOpenDirectoryObject,		14_2_03869A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869A00 NtProtectVirtualMemory,		14_2_03869A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869A10 NtQuerySection,		14_2_03869A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869A20 NtResumeThread,		14_2_03869A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038699D0 NtCreateProcessEx,		14_2_038699D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869950 NtQueueApcThread,		14_2_03869950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038698A0 NtWriteVirtualMemory,		14_2_038698A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038698F0 NtReadVirtualMemory,		14_2_038698F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869820 NtEnumerateKey,		14_2_03869820
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0386B040 NtSuspendThread,		14_2_0386B040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038697A0 NtUnmapViewOfSection,		14_2_038697A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0386A710 NtOpenProcessToken,		14_2_0386A710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869730 NtQueryVirtualMemory,		14_2_03869730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869760 NtOpenProcess,		14_2_03869760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0386A770 NtOpenThread,		14_2_0386A770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869770 NtSetInformationFile,		14_2_03869770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869610 NtEnumerateValueKey,		14_2_03869610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869670 NtQueryInformationProcess,		14_2_03869670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038695F0 NtQueryInformationFile,		14_2_038695F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869520 NtWaitForSingleObject,		14_2_03869520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0386AD30 NtSetContextThread,		14_2_0386AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03869560 NtWriteFile,		14_2_03869560
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DA8680 NtReadFile,		14_2_02DA8680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DA87B0 NtAllocateVirtualMemory,		14_2_02DA87B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DA8700 NtClose,		14_2_02DA8700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DA85D0 NtCreateFile,		14_2_02DA85D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DA86FB NtClose,		14_2_02DA86FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DA867A NtReadFile,		14_2_02DA867A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DA85CA NtCreateFile,		14_2_02DA85CA

Sample file is different than original file name gathered from version info

Source: New order payment.exe, 00000000.00000003.238846897.000000000F176000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New order payment.exe
Source: New order payment.exe, 00000001.00000002.301292454.00000000026EB000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs New order payment.exe
Source: New order payment.exe, 00000001.00000003.244188608.0000000000746000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New order payment.exe

Sample reads its own file content

Source: C:\Users\user\Desktop\New order payment.exe

File read: C:\Users\user\Desktop\New order payment.exe

Jump to behavior

PE file has an executable .text section and no other executable section

Source: New order payment.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\New order payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\New order payment.exe 'C:\Users\user\Desktop\New order payment.exe'
Source: C:\Users\user\Desktop\New order payment.exe	Process created: C:\Users\user\Desktop\New order payment.exe 'C:\Users\user\Desktop\New order payment.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New order payment.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New order payment.exe	Process created: C:\Users\user\Desktop\New order payment.exe 'C:\Users\user\Desktop\New order payment.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New order payment.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\New order payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Creates temporary files

Source: C:\Users\user\Desktop\New order payment.exe

File created: C:\Users\user\AppData\Local\Temp\nseE55E.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@13/7

Contains functionality to instantiate COM classes

Source: C:\Users\user\Desktop\New order payment.exe

Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,

0_2_00402053

Reads ini files

Source: C:\Users\user\Desktop\New order payment.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to check free disk space

Source: C:\Users\user\Desktop\New order payment.exe

Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404292

Found detection on Joe Sandbox Cloud Basic with higher score

Source: New order payment.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: New order payment.exe, 00000000.00000003.242757682.000000000F1F0000.00000004.00000001.sdmp, New order payment.exe, 00000001.00000003.244051355.0000000000630000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.503827179.000000000391F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: New order payment.exe, svchost.exe
Source:	Binary string: svchost.pdb source: New order payment.exe, 00000001.00000002.301223099.00000000026E0000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: New order payment.exe, 00000001.00000002.301223099.00000000026E0000.00000040.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041B87C push eax; ret		1_2_0041B882
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041B812 push eax; ret		1_2_0041B818
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041B81B push eax; ret		1_2_0041B882
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041C951 push FFFFFFA3h; ret		1_2_0041C955
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00404F18 push edi; retf		1_2_00404F19
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0041B7C5 push eax; ret		1_2_0041B818
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009DD0D1 push ecx; ret		1_2_009DD0E4
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041B87C push eax; ret		1_1_0041B882
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041B812 push eax; ret		1_1_0041B818
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041B81B push eax; ret		1_1_0041B882
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041C951 push FFFFFFA3h; ret		1_1_0041C955
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_00404F18 push edi; retf		1_1_00404F19
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_1_0041B7C5 push eax; ret		1_1_0041B818
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0387D0D1 push ecx; ret		14_2_0387D0E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DAB87C push eax; ret		14_2_02DAB882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DAB81B push eax; ret		14_2_02DAB882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DAB812 push eax; ret		14_2_02DAB818
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DAC951 push FFFFFFA3h; ret		14_2_02DAC955
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02DAB7C5 push eax; ret		14_2_02DAB818
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_02D94F18 push edi; retf		14_2_02D94F19

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\New order payment.exe

File created: C:\Users\user\AppData\Local\Temp\nspE59E.tmp\fsfowpfjd.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del 'C:\Users\user\Desktop\New order payment.exe'
Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del 'C:\Users\user\Desktop\New order payment.exe'			Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\New order payment.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\New order payment.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\New order payment.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D98604 second address: 0000000002D9860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D9898E second address: 0000000002D98994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6456	Thread sleep time: -50000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6316	Thread sleep time: -40000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\New order payment.exe

Code function: 1_2_004088C0 rdtsc

1_2_004088C0

Queries a list of all running processes

Source: C:\Users\user\Desktop\New order payment.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_00405E93 FindFirstFileA,FindClose,		0_2_00405E93
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_004054BD
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_00402671 FindFirstFileA,		0_2_00402671

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000004.00000000.254567298.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATA?6
Source: explorer.exe, 00000004.00000000.254493114.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.248427538.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: New order payment.exe, 00000000.00000002.244218595.0000000000776000.00000004.00000020.sdmp	Binary or memory string: \divorces\tryout\marmalade.bmpjylqawoozfsSOFTWARE\roscoepduiiqsjbwqemuykqfwrylxmvbggeyuzsvpgz21176
Source: explorer.exe, 00000004.00000000.280451175.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.247577904.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%%
Source: explorer.exe, 00000004.00000000.274875851.000000000DC2B000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}))
Source: explorer.exe, 00000004.00000000.254567298.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.249068214.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.254567298.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000004.00000000.257414229.000000000DC67000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Shell\M22
Source: explorer.exe, 00000004.00000000.288676486.000000000DC2B000.00000004.00000001.sdmp	Binary or memory string: 0ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&96

Anti Debugging:

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\New order payment.exe

Code function: 0_2_73223070 sclag,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect,

0_2_73223070

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\New order payment.exe

Code function: 1_2_004088C0 rdtsc

1_2_004088C0

Enables debug privileges

Source: C:\Users\user\Desktop\New order payment.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_732254DA mov eax, dword ptr fs:[00000030h]		0_2_732254DA
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_7322581C mov eax, dword ptr fs:[00000030h]		0_2_7322581C
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_7322579F mov eax, dword ptr fs:[00000030h]		0_2_7322579F
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_732256EE mov eax, dword ptr fs:[00000030h]		0_2_732256EE
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 0_2_732257DE mov eax, dword ptr fs:[00000030h]		0_2_732257DE
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00989080 mov eax, dword ptr fs:[00000030h]		1_2_00989080
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BF0BF mov ecx, dword ptr fs:[00000030h]		1_2_009BF0BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BF0BF mov eax, dword ptr fs:[00000030h]		1_2_009BF0BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BF0BF mov eax, dword ptr fs:[00000030h]		1_2_009BF0BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A03884 mov eax, dword ptr fs:[00000030h]		1_2_00A03884
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A03884 mov eax, dword ptr fs:[00000030h]		1_2_00A03884
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C90AF mov eax, dword ptr fs:[00000030h]		1_2_009C90AF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]		1_2_009B20A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]		1_2_009B20A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]		1_2_009B20A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]		1_2_009B20A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]		1_2_009B20A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]		1_2_009B20A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A1B8D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1B8D0 mov ecx, dword ptr fs:[00000030h]		1_2_00A1B8D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A1B8D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A1B8D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A1B8D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A1B8D0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009858EC mov eax, dword ptr fs:[00000030h]		1_2_009858EC
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009840E1 mov eax, dword ptr fs:[00000030h]		1_2_009840E1
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009840E1 mov eax, dword ptr fs:[00000030h]		1_2_009840E1
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009840E1 mov eax, dword ptr fs:[00000030h]		1_2_009840E1
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AB8E4 mov eax, dword ptr fs:[00000030h]		1_2_009AB8E4
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AB8E4 mov eax, dword ptr fs:[00000030h]		1_2_009AB8E4
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA830 mov eax, dword ptr fs:[00000030h]		1_2_009AA830
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA830 mov eax, dword ptr fs:[00000030h]		1_2_009AA830
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA830 mov eax, dword ptr fs:[00000030h]		1_2_009AA830
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA830 mov eax, dword ptr fs:[00000030h]		1_2_009AA830
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A54015 mov eax, dword ptr fs:[00000030h]		1_2_00A54015
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A54015 mov eax, dword ptr fs:[00000030h]		1_2_00A54015
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099B02A mov eax, dword ptr fs:[00000030h]		1_2_0099B02A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099B02A mov eax, dword ptr fs:[00000030h]		1_2_0099B02A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099B02A mov eax, dword ptr fs:[00000030h]		1_2_0099B02A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099B02A mov eax, dword ptr fs:[00000030h]		1_2_0099B02A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A07016 mov eax, dword ptr fs:[00000030h]		1_2_00A07016
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A07016 mov eax, dword ptr fs:[00000030h]		1_2_00A07016
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A07016 mov eax, dword ptr fs:[00000030h]		1_2_00A07016
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B002D mov eax, dword ptr fs:[00000030h]		1_2_009B002D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B002D mov eax, dword ptr fs:[00000030h]		1_2_009B002D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B002D mov eax, dword ptr fs:[00000030h]		1_2_009B002D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B002D mov eax, dword ptr fs:[00000030h]		1_2_009B002D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B002D mov eax, dword ptr fs:[00000030h]		1_2_009B002D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A0050 mov eax, dword ptr fs:[00000030h]		1_2_009A0050
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A0050 mov eax, dword ptr fs:[00000030h]		1_2_009A0050
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A51074 mov eax, dword ptr fs:[00000030h]		1_2_00A51074
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A42073 mov eax, dword ptr fs:[00000030h]		1_2_00A42073
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A449A4 mov eax, dword ptr fs:[00000030h]		1_2_00A449A4
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A449A4 mov eax, dword ptr fs:[00000030h]		1_2_00A449A4
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A449A4 mov eax, dword ptr fs:[00000030h]		1_2_00A449A4
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A449A4 mov eax, dword ptr fs:[00000030h]		1_2_00A449A4
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A069A6 mov eax, dword ptr fs:[00000030h]		1_2_00A069A6
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B2990 mov eax, dword ptr fs:[00000030h]		1_2_009B2990
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AC182 mov eax, dword ptr fs:[00000030h]		1_2_009AC182
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BA185 mov eax, dword ptr fs:[00000030h]		1_2_009BA185
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A051BE mov eax, dword ptr fs:[00000030h]		1_2_00A051BE
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A051BE mov eax, dword ptr fs:[00000030h]		1_2_00A051BE
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A051BE mov eax, dword ptr fs:[00000030h]		1_2_00A051BE
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A051BE mov eax, dword ptr fs:[00000030h]		1_2_00A051BE
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov eax, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov eax, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov eax, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A99BF mov eax, dword ptr fs:[00000030h]		1_2_009A99BF
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B61A0 mov eax, dword ptr fs:[00000030h]		1_2_009B61A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B61A0 mov eax, dword ptr fs:[00000030h]		1_2_009B61A0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A141E8 mov eax, dword ptr fs:[00000030h]		1_2_00A141E8
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098B1E1 mov eax, dword ptr fs:[00000030h]		1_2_0098B1E1
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098B1E1 mov eax, dword ptr fs:[00000030h]		1_2_0098B1E1
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098B1E1 mov eax, dword ptr fs:[00000030h]		1_2_0098B1E1
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00989100 mov eax, dword ptr fs:[00000030h]		1_2_00989100
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00989100 mov eax, dword ptr fs:[00000030h]		1_2_00989100
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00989100 mov eax, dword ptr fs:[00000030h]		1_2_00989100
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B513A mov eax, dword ptr fs:[00000030h]		1_2_009B513A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B513A mov eax, dword ptr fs:[00000030h]		1_2_009B513A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A4120 mov eax, dword ptr fs:[00000030h]		1_2_009A4120
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A4120 mov eax, dword ptr fs:[00000030h]		1_2_009A4120
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A4120 mov eax, dword ptr fs:[00000030h]		1_2_009A4120
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A4120 mov eax, dword ptr fs:[00000030h]		1_2_009A4120
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A4120 mov ecx, dword ptr fs:[00000030h]		1_2_009A4120
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AB944 mov eax, dword ptr fs:[00000030h]		1_2_009AB944
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AB944 mov eax, dword ptr fs:[00000030h]		1_2_009AB944
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098B171 mov eax, dword ptr fs:[00000030h]		1_2_0098B171
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098B171 mov eax, dword ptr fs:[00000030h]		1_2_0098B171
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098C962 mov eax, dword ptr fs:[00000030h]		1_2_0098C962
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BD294 mov eax, dword ptr fs:[00000030h]		1_2_009BD294
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BD294 mov eax, dword ptr fs:[00000030h]		1_2_009BD294
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099AAB0 mov eax, dword ptr fs:[00000030h]		1_2_0099AAB0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099AAB0 mov eax, dword ptr fs:[00000030h]		1_2_0099AAB0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BFAB0 mov eax, dword ptr fs:[00000030h]		1_2_009BFAB0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009852A5 mov eax, dword ptr fs:[00000030h]		1_2_009852A5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009852A5 mov eax, dword ptr fs:[00000030h]		1_2_009852A5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009852A5 mov eax, dword ptr fs:[00000030h]		1_2_009852A5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009852A5 mov eax, dword ptr fs:[00000030h]		1_2_009852A5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009852A5 mov eax, dword ptr fs:[00000030h]		1_2_009852A5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B2ACB mov eax, dword ptr fs:[00000030h]		1_2_009B2ACB
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B2AE4 mov eax, dword ptr fs:[00000030h]		1_2_009B2AE4
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A3A1C mov eax, dword ptr fs:[00000030h]		1_2_009A3A1C
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00985210 mov eax, dword ptr fs:[00000030h]		1_2_00985210
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00985210 mov ecx, dword ptr fs:[00000030h]		1_2_00985210
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00985210 mov eax, dword ptr fs:[00000030h]		1_2_00985210
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00985210 mov eax, dword ptr fs:[00000030h]		1_2_00985210
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098AA16 mov eax, dword ptr fs:[00000030h]		1_2_0098AA16
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098AA16 mov eax, dword ptr fs:[00000030h]		1_2_0098AA16
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00998A0A mov eax, dword ptr fs:[00000030h]		1_2_00998A0A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C4A2C mov eax, dword ptr fs:[00000030h]		1_2_009C4A2C
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C4A2C mov eax, dword ptr fs:[00000030h]		1_2_009C4A2C
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4AA16 mov eax, dword ptr fs:[00000030h]		1_2_00A4AA16
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4AA16 mov eax, dword ptr fs:[00000030h]		1_2_00A4AA16
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]		1_2_009AA229
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]		1_2_009AA229
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]		1_2_009AA229
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]		1_2_009AA229
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]		1_2_009AA229
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]		1_2_009AA229
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]		1_2_009AA229
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]		1_2_009AA229
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]		1_2_009AA229
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A3B260 mov eax, dword ptr fs:[00000030h]		1_2_00A3B260
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A3B260 mov eax, dword ptr fs:[00000030h]		1_2_00A3B260
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A58A62 mov eax, dword ptr fs:[00000030h]		1_2_00A58A62
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00989240 mov eax, dword ptr fs:[00000030h]		1_2_00989240
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00989240 mov eax, dword ptr fs:[00000030h]		1_2_00989240
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00989240 mov eax, dword ptr fs:[00000030h]		1_2_00989240
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00989240 mov eax, dword ptr fs:[00000030h]		1_2_00989240
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C927A mov eax, dword ptr fs:[00000030h]		1_2_009C927A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4EA55 mov eax, dword ptr fs:[00000030h]		1_2_00A4EA55
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A14257 mov eax, dword ptr fs:[00000030h]		1_2_00A14257
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A55BA5 mov eax, dword ptr fs:[00000030h]		1_2_00A55BA5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BB390 mov eax, dword ptr fs:[00000030h]		1_2_009BB390
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B2397 mov eax, dword ptr fs:[00000030h]		1_2_009B2397
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00991B8F mov eax, dword ptr fs:[00000030h]		1_2_00991B8F
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00991B8F mov eax, dword ptr fs:[00000030h]		1_2_00991B8F
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A3D380 mov ecx, dword ptr fs:[00000030h]		1_2_00A3D380
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4138A mov eax, dword ptr fs:[00000030h]		1_2_00A4138A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B4BAD mov eax, dword ptr fs:[00000030h]		1_2_009B4BAD
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B4BAD mov eax, dword ptr fs:[00000030h]		1_2_009B4BAD
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B4BAD mov eax, dword ptr fs:[00000030h]		1_2_009B4BAD
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A053CA mov eax, dword ptr fs:[00000030h]		1_2_00A053CA
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A053CA mov eax, dword ptr fs:[00000030h]		1_2_00A053CA
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009ADBE9 mov eax, dword ptr fs:[00000030h]		1_2_009ADBE9
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]		1_2_009B03E2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]		1_2_009B03E2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]		1_2_009B03E2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]		1_2_009B03E2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]		1_2_009B03E2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]		1_2_009B03E2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]		1_2_009AA309
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4131B mov eax, dword ptr fs:[00000030h]		1_2_00A4131B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098F358 mov eax, dword ptr fs:[00000030h]		1_2_0098F358
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098DB40 mov eax, dword ptr fs:[00000030h]		1_2_0098DB40
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B3B7A mov eax, dword ptr fs:[00000030h]		1_2_009B3B7A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B3B7A mov eax, dword ptr fs:[00000030h]		1_2_009B3B7A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098DB60 mov ecx, dword ptr fs:[00000030h]		1_2_0098DB60
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A58B58 mov eax, dword ptr fs:[00000030h]		1_2_00A58B58
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099849B mov eax, dword ptr fs:[00000030h]		1_2_0099849B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06CF0 mov eax, dword ptr fs:[00000030h]		1_2_00A06CF0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06CF0 mov eax, dword ptr fs:[00000030h]		1_2_00A06CF0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06CF0 mov eax, dword ptr fs:[00000030h]		1_2_00A06CF0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A414FB mov eax, dword ptr fs:[00000030h]		1_2_00A414FB
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A58CD6 mov eax, dword ptr fs:[00000030h]		1_2_00A58CD6
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]		1_2_00A41C06
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A5740D mov eax, dword ptr fs:[00000030h]		1_2_00A5740D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A5740D mov eax, dword ptr fs:[00000030h]		1_2_00A5740D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A5740D mov eax, dword ptr fs:[00000030h]		1_2_00A5740D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06C0A mov eax, dword ptr fs:[00000030h]		1_2_00A06C0A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06C0A mov eax, dword ptr fs:[00000030h]		1_2_00A06C0A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06C0A mov eax, dword ptr fs:[00000030h]		1_2_00A06C0A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06C0A mov eax, dword ptr fs:[00000030h]		1_2_00A06C0A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BBC2C mov eax, dword ptr fs:[00000030h]		1_2_009BBC2C
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BA44B mov eax, dword ptr fs:[00000030h]		1_2_009BA44B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]		1_2_009BAC7B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1C450 mov eax, dword ptr fs:[00000030h]		1_2_00A1C450
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1C450 mov eax, dword ptr fs:[00000030h]		1_2_00A1C450
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A746D mov eax, dword ptr fs:[00000030h]		1_2_009A746D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BFD9B mov eax, dword ptr fs:[00000030h]		1_2_009BFD9B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BFD9B mov eax, dword ptr fs:[00000030h]		1_2_009BFD9B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A505AC mov eax, dword ptr fs:[00000030h]		1_2_00A505AC
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A505AC mov eax, dword ptr fs:[00000030h]		1_2_00A505AC
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00982D8A mov eax, dword ptr fs:[00000030h]		1_2_00982D8A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00982D8A mov eax, dword ptr fs:[00000030h]		1_2_00982D8A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00982D8A mov eax, dword ptr fs:[00000030h]		1_2_00982D8A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00982D8A mov eax, dword ptr fs:[00000030h]		1_2_00982D8A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00982D8A mov eax, dword ptr fs:[00000030h]		1_2_00982D8A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B2581 mov eax, dword ptr fs:[00000030h]		1_2_009B2581
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B2581 mov eax, dword ptr fs:[00000030h]		1_2_009B2581
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B2581 mov eax, dword ptr fs:[00000030h]		1_2_009B2581
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B2581 mov eax, dword ptr fs:[00000030h]		1_2_009B2581
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B1DB5 mov eax, dword ptr fs:[00000030h]		1_2_009B1DB5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B1DB5 mov eax, dword ptr fs:[00000030h]		1_2_009B1DB5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B1DB5 mov eax, dword ptr fs:[00000030h]		1_2_009B1DB5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B35A1 mov eax, dword ptr fs:[00000030h]		1_2_009B35A1
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4FDE2 mov eax, dword ptr fs:[00000030h]		1_2_00A4FDE2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4FDE2 mov eax, dword ptr fs:[00000030h]		1_2_00A4FDE2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4FDE2 mov eax, dword ptr fs:[00000030h]		1_2_00A4FDE2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4FDE2 mov eax, dword ptr fs:[00000030h]		1_2_00A4FDE2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A38DF1 mov eax, dword ptr fs:[00000030h]		1_2_00A38DF1
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06DC9 mov eax, dword ptr fs:[00000030h]		1_2_00A06DC9
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06DC9 mov eax, dword ptr fs:[00000030h]		1_2_00A06DC9
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06DC9 mov eax, dword ptr fs:[00000030h]		1_2_00A06DC9
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06DC9 mov ecx, dword ptr fs:[00000030h]		1_2_00A06DC9
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06DC9 mov eax, dword ptr fs:[00000030h]		1_2_00A06DC9
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A06DC9 mov eax, dword ptr fs:[00000030h]		1_2_00A06DC9
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099D5E0 mov eax, dword ptr fs:[00000030h]		1_2_0099D5E0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099D5E0 mov eax, dword ptr fs:[00000030h]		1_2_0099D5E0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A58D34 mov eax, dword ptr fs:[00000030h]		1_2_00A58D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A0A537 mov eax, dword ptr fs:[00000030h]		1_2_00A0A537
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4E539 mov eax, dword ptr fs:[00000030h]		1_2_00A4E539
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B4D3B mov eax, dword ptr fs:[00000030h]		1_2_009B4D3B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B4D3B mov eax, dword ptr fs:[00000030h]		1_2_009B4D3B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B4D3B mov eax, dword ptr fs:[00000030h]		1_2_009B4D3B
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098AD30 mov eax, dword ptr fs:[00000030h]		1_2_0098AD30
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]		1_2_00993D34
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009A7D50 mov eax, dword ptr fs:[00000030h]		1_2_009A7D50
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C3D43 mov eax, dword ptr fs:[00000030h]		1_2_009C3D43
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A03540 mov eax, dword ptr fs:[00000030h]		1_2_00A03540
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A33D40 mov eax, dword ptr fs:[00000030h]		1_2_00A33D40
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AC577 mov eax, dword ptr fs:[00000030h]		1_2_009AC577
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AC577 mov eax, dword ptr fs:[00000030h]		1_2_009AC577
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A50EA5 mov eax, dword ptr fs:[00000030h]		1_2_00A50EA5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A50EA5 mov eax, dword ptr fs:[00000030h]		1_2_00A50EA5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A50EA5 mov eax, dword ptr fs:[00000030h]		1_2_00A50EA5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A046A7 mov eax, dword ptr fs:[00000030h]		1_2_00A046A7
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1FE87 mov eax, dword ptr fs:[00000030h]		1_2_00A1FE87
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B36CC mov eax, dword ptr fs:[00000030h]		1_2_009B36CC
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C8EC7 mov eax, dword ptr fs:[00000030h]		1_2_009C8EC7
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A3FEC0 mov eax, dword ptr fs:[00000030h]		1_2_00A3FEC0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A58ED6 mov eax, dword ptr fs:[00000030h]		1_2_00A58ED6
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B16E0 mov ecx, dword ptr fs:[00000030h]		1_2_009B16E0
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009976E2 mov eax, dword ptr fs:[00000030h]		1_2_009976E2
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BA61C mov eax, dword ptr fs:[00000030h]		1_2_009BA61C
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BA61C mov eax, dword ptr fs:[00000030h]		1_2_009BA61C
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098C600 mov eax, dword ptr fs:[00000030h]		1_2_0098C600
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098C600 mov eax, dword ptr fs:[00000030h]		1_2_0098C600
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098C600 mov eax, dword ptr fs:[00000030h]		1_2_0098C600
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009B8E00 mov eax, dword ptr fs:[00000030h]		1_2_009B8E00
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A3FE3F mov eax, dword ptr fs:[00000030h]		1_2_00A3FE3F
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A41608 mov eax, dword ptr fs:[00000030h]		1_2_00A41608
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0098E620 mov eax, dword ptr fs:[00000030h]		1_2_0098E620
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]		1_2_00997E41
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]		1_2_00997E41
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]		1_2_00997E41
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]		1_2_00997E41
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]		1_2_00997E41
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]		1_2_00997E41
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4AE44 mov eax, dword ptr fs:[00000030h]		1_2_00A4AE44
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A4AE44 mov eax, dword ptr fs:[00000030h]		1_2_00A4AE44
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AAE73 mov eax, dword ptr fs:[00000030h]		1_2_009AAE73
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AAE73 mov eax, dword ptr fs:[00000030h]		1_2_009AAE73
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AAE73 mov eax, dword ptr fs:[00000030h]		1_2_009AAE73
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AAE73 mov eax, dword ptr fs:[00000030h]		1_2_009AAE73
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AAE73 mov eax, dword ptr fs:[00000030h]		1_2_009AAE73
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099766D mov eax, dword ptr fs:[00000030h]		1_2_0099766D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00998794 mov eax, dword ptr fs:[00000030h]		1_2_00998794
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A07794 mov eax, dword ptr fs:[00000030h]		1_2_00A07794
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A07794 mov eax, dword ptr fs:[00000030h]		1_2_00A07794
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A07794 mov eax, dword ptr fs:[00000030h]		1_2_00A07794
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009C37F5 mov eax, dword ptr fs:[00000030h]		1_2_009C37F5
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AF716 mov eax, dword ptr fs:[00000030h]		1_2_009AF716
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BA70E mov eax, dword ptr fs:[00000030h]		1_2_009BA70E
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BA70E mov eax, dword ptr fs:[00000030h]		1_2_009BA70E
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AB73D mov eax, dword ptr fs:[00000030h]		1_2_009AB73D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009AB73D mov eax, dword ptr fs:[00000030h]		1_2_009AB73D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A5070D mov eax, dword ptr fs:[00000030h]		1_2_00A5070D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A5070D mov eax, dword ptr fs:[00000030h]		1_2_00A5070D
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_009BE730 mov eax, dword ptr fs:[00000030h]		1_2_009BE730
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1FF10 mov eax, dword ptr fs:[00000030h]		1_2_00A1FF10
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A1FF10 mov eax, dword ptr fs:[00000030h]		1_2_00A1FF10
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00984F2E mov eax, dword ptr fs:[00000030h]		1_2_00984F2E
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00984F2E mov eax, dword ptr fs:[00000030h]		1_2_00984F2E
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_00A58F6A mov eax, dword ptr fs:[00000030h]		1_2_00A58F6A
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099EF40 mov eax, dword ptr fs:[00000030h]		1_2_0099EF40
Source: C:\Users\user\Desktop\New order payment.exe	Code function: 1_2_0099FF60 mov eax, dword ptr fs:[00000030h]		1_2_0099FF60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E138A mov eax, dword ptr fs:[00000030h]		14_2_038E138A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03831B8F mov eax, dword ptr fs:[00000030h]		14_2_03831B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03831B8F mov eax, dword ptr fs:[00000030h]		14_2_03831B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038DD380 mov ecx, dword ptr fs:[00000030h]		14_2_038DD380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03852397 mov eax, dword ptr fs:[00000030h]		14_2_03852397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0385B390 mov eax, dword ptr fs:[00000030h]		14_2_0385B390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03854BAD mov eax, dword ptr fs:[00000030h]		14_2_03854BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03854BAD mov eax, dword ptr fs:[00000030h]		14_2_03854BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03854BAD mov eax, dword ptr fs:[00000030h]		14_2_03854BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F5BA5 mov eax, dword ptr fs:[00000030h]		14_2_038F5BA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038A53CA mov eax, dword ptr fs:[00000030h]		14_2_038A53CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038A53CA mov eax, dword ptr fs:[00000030h]		14_2_038A53CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]		14_2_038503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]		14_2_038503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]		14_2_038503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]		14_2_038503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]		14_2_038503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]		14_2_038503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384DBE9 mov eax, dword ptr fs:[00000030h]		14_2_0384DBE9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038D23E3 mov ecx, dword ptr fs:[00000030h]		14_2_038D23E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038D23E3 mov ecx, dword ptr fs:[00000030h]		14_2_038D23E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038D23E3 mov eax, dword ptr fs:[00000030h]		14_2_038D23E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]		14_2_0384A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E131B mov eax, dword ptr fs:[00000030h]		14_2_038E131B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382DB40 mov eax, dword ptr fs:[00000030h]		14_2_0382DB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F8B58 mov eax, dword ptr fs:[00000030h]		14_2_038F8B58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382F358 mov eax, dword ptr fs:[00000030h]		14_2_0382F358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382DB60 mov ecx, dword ptr fs:[00000030h]		14_2_0382DB60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03853B7A mov eax, dword ptr fs:[00000030h]		14_2_03853B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03853B7A mov eax, dword ptr fs:[00000030h]		14_2_03853B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0385D294 mov eax, dword ptr fs:[00000030h]		14_2_0385D294
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0385D294 mov eax, dword ptr fs:[00000030h]		14_2_0385D294
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038252A5 mov eax, dword ptr fs:[00000030h]		14_2_038252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038252A5 mov eax, dword ptr fs:[00000030h]		14_2_038252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038252A5 mov eax, dword ptr fs:[00000030h]		14_2_038252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038252A5 mov eax, dword ptr fs:[00000030h]		14_2_038252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038252A5 mov eax, dword ptr fs:[00000030h]		14_2_038252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0383AAB0 mov eax, dword ptr fs:[00000030h]		14_2_0383AAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0383AAB0 mov eax, dword ptr fs:[00000030h]		14_2_0383AAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0385FAB0 mov eax, dword ptr fs:[00000030h]		14_2_0385FAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03852ACB mov eax, dword ptr fs:[00000030h]		14_2_03852ACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03852AE4 mov eax, dword ptr fs:[00000030h]		14_2_03852AE4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]		14_2_038E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03838A0A mov eax, dword ptr fs:[00000030h]		14_2_03838A0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03825210 mov eax, dword ptr fs:[00000030h]		14_2_03825210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03825210 mov ecx, dword ptr fs:[00000030h]		14_2_03825210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03825210 mov eax, dword ptr fs:[00000030h]		14_2_03825210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03825210 mov eax, dword ptr fs:[00000030h]		14_2_03825210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382AA16 mov eax, dword ptr fs:[00000030h]		14_2_0382AA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382AA16 mov eax, dword ptr fs:[00000030h]		14_2_0382AA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03843A1C mov eax, dword ptr fs:[00000030h]		14_2_03843A1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038EAA16 mov eax, dword ptr fs:[00000030h]		14_2_038EAA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038EAA16 mov eax, dword ptr fs:[00000030h]		14_2_038EAA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03864A2C mov eax, dword ptr fs:[00000030h]		14_2_03864A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03864A2C mov eax, dword ptr fs:[00000030h]		14_2_03864A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]		14_2_0384A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]		14_2_0384A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]		14_2_0384A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]		14_2_0384A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]		14_2_0384A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]		14_2_0384A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]		14_2_0384A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]		14_2_0384A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]		14_2_0384A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03829240 mov eax, dword ptr fs:[00000030h]		14_2_03829240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03829240 mov eax, dword ptr fs:[00000030h]		14_2_03829240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03829240 mov eax, dword ptr fs:[00000030h]		14_2_03829240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03829240 mov eax, dword ptr fs:[00000030h]		14_2_03829240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038EEA55 mov eax, dword ptr fs:[00000030h]		14_2_038EEA55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038B4257 mov eax, dword ptr fs:[00000030h]		14_2_038B4257
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038DB260 mov eax, dword ptr fs:[00000030h]		14_2_038DB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038DB260 mov eax, dword ptr fs:[00000030h]		14_2_038DB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038F8A62 mov eax, dword ptr fs:[00000030h]		14_2_038F8A62
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0386927A mov eax, dword ptr fs:[00000030h]		14_2_0386927A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0385A185 mov eax, dword ptr fs:[00000030h]		14_2_0385A185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384C182 mov eax, dword ptr fs:[00000030h]		14_2_0384C182
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03852990 mov eax, dword ptr fs:[00000030h]		14_2_03852990
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038561A0 mov eax, dword ptr fs:[00000030h]		14_2_038561A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038561A0 mov eax, dword ptr fs:[00000030h]		14_2_038561A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E49A4 mov eax, dword ptr fs:[00000030h]		14_2_038E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E49A4 mov eax, dword ptr fs:[00000030h]		14_2_038E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E49A4 mov eax, dword ptr fs:[00000030h]		14_2_038E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038E49A4 mov eax, dword ptr fs:[00000030h]		14_2_038E49A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038A69A6 mov eax, dword ptr fs:[00000030h]		14_2_038A69A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038A51BE mov eax, dword ptr fs:[00000030h]		14_2_038A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038A51BE mov eax, dword ptr fs:[00000030h]		14_2_038A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038A51BE mov eax, dword ptr fs:[00000030h]		14_2_038A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038A51BE mov eax, dword ptr fs:[00000030h]		14_2_038A51BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov eax, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov eax, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov eax, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038499BF mov eax, dword ptr fs:[00000030h]		14_2_038499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038B41E8 mov eax, dword ptr fs:[00000030h]		14_2_038B41E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382B1E1 mov eax, dword ptr fs:[00000030h]		14_2_0382B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382B1E1 mov eax, dword ptr fs:[00000030h]		14_2_0382B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382B1E1 mov eax, dword ptr fs:[00000030h]		14_2_0382B1E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03829100 mov eax, dword ptr fs:[00000030h]		14_2_03829100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03829100 mov eax, dword ptr fs:[00000030h]		14_2_03829100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03829100 mov eax, dword ptr fs:[00000030h]		14_2_03829100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03844120 mov eax, dword ptr fs:[00000030h]		14_2_03844120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03844120 mov eax, dword ptr fs:[00000030h]		14_2_03844120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03844120 mov eax, dword ptr fs:[00000030h]		14_2_03844120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03844120 mov eax, dword ptr fs:[00000030h]		14_2_03844120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03844120 mov ecx, dword ptr fs:[00000030h]		14_2_03844120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0385513A mov eax, dword ptr fs:[00000030h]		14_2_0385513A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0385513A mov eax, dword ptr fs:[00000030h]		14_2_0385513A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384B944 mov eax, dword ptr fs:[00000030h]		14_2_0384B944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0384B944 mov eax, dword ptr fs:[00000030h]		14_2_0384B944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382C962 mov eax, dword ptr fs:[00000030h]		14_2_0382C962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382B171 mov eax, dword ptr fs:[00000030h]		14_2_0382B171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_0382B171 mov eax, dword ptr fs:[00000030h]		14_2_0382B171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_03829080 mov eax, dword ptr fs:[00000030h]		14_2_03829080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038A3884 mov eax, dword ptr fs:[00000030h]		14_2_038A3884
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038A3884 mov eax, dword ptr fs:[00000030h]		14_2_038A3884
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038520A0 mov eax, dword ptr fs:[00000030h]		14_2_038520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038520A0 mov eax, dword ptr fs:[00000030h]		14_2_038520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038520A0 mov eax, dword ptr fs:[00000030h]		14_2_038520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038520A0 mov eax, dword ptr fs:[00000030h]		14_2_038520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 14_2_038520A0 mov eax, dword ptr fs:[00000030h]		14_2_038520A0

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\New order payment.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\New order payment.exe

Code function: 1_2_00409B30 LdrLoadDll,

1_2_00409B30

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.hanansalman.com
Source: C:\Windows\explorer.exe	Domain query: www.sejiw3.xyz
Source: C:\Windows\explorer.exe	Domain query: www.crisisinterventionadvocates.com
Source: C:\Windows\explorer.exe	Network Connect: 137.184.31.35 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.srchwithus.online
Source: C:\Windows\explorer.exe	Domain query: www.heyunshangcheng.info
Source: C:\Windows\explorer.exe	Network Connect: 51.210.240.92 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.134 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.67.234.155 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.241.55.103 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.christinegagnonjewellery.com
Source: C:\Windows\explorer.exe	Domain query: www.mykombuchafactory.com
Source: C:\Windows\explorer.exe	Domain query: www.itskosi.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.salvationshippingsecurity.com
Source: C:\Windows\explorer.exe	Domain query: www.sfcn-dng.com
Source: C:\Windows\explorer.exe	Domain query: www.umgaleloacademy.com

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\New order payment.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 9B0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\New order payment.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\New order payment.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\New order payment.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\New order payment.exe

Memory written: C:\Users\user\Desktop\New order payment.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\New order payment.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\New order payment.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3472			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\New order payment.exe	Process created: C:\Users\user\Desktop\New order payment.exe 'C:\Users\user\Desktop\New order payment.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New order payment.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000004.00000000.262322329.0000000001640000.00000002.00020000.sdmp, svchost.exe, 0000000E.00000002.505777077.0000000005F20000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.262322329.0000000001640000.00000002.00020000.sdmp, svchost.exe, 0000000E.00000002.505777077.0000000005F20000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.262322329.0000000001640000.00000002.00020000.sdmp, svchost.exe, 0000000E.00000002.505777077.0000000005F20000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.280314359.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000004.00000000.262322329.0000000001640000.00000002.00020000.sdmp, svchost.exe, 0000000E.00000002.505777077.0000000005F20000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.262322329.0000000001640000.00000002.00020000.sdmp, svchost.exe, 0000000E.00000002.505777077.0000000005F20000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query windows version

Source: C:\Users\user\Desktop\New order payment.exe

Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030FB

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY